McAffee cybersecurity experts has identify about sixteen applications with malware that are currently available in the Google Play Store, the official Android app store. The applications have over 20 million install times overall.
It is a “Clicker” type of malware, which means it can control the victim’s device and access websites without their knowledge or consent. The apps are no longer available in the store as of right now. But it’s very likely that many users still have them installed on their phones.
The report details how the malicious apps pretended to be practical mobile tools like flashlights, task managers, calendars, camera apps, or note apps, among others.
However, once they were available on users’ devices, the applications engaged in advertising fraud activities. Such as random website visits, which brought in money for the attacker. Applications with millions of downloads from the Google Play Store are available in the full list of apps that contain the malware. The names of the applications and the number of downloads up until the point at which they were no longer in Google Play are below.
- High-Speed Camera – Over 10M downloads
- Smart Task Manager – Over 5M downloads
- Flashlight+ – Over 1M downloads
- Memo Calendar – Over 1M downloads
- K-Dictionary – Over 1M downloads
- BusanBus – Over 1M downloads
- Flashlight+ – Over 500K downloads
- Quick Note – Over 500K downloads
- Currency Converter – Over 500K downloads
- Joycode – Over 100K downloads
- EzDica – Over 100K downloads
- Instagram Profile Downloader – Over 100K downloads
- Ez Notes – Over 100K downloads
- Flash Lite – Over 1K downloads
- Calcul – 100+ downloads
- Flashlight+ – 100+ downloads
How Does This Android Malware Works?
After the user launches the app, the application sends an HTTP request to download its remote configuration. The configuration registers the FCM (Firebase Cloud Messaging) listener to receive push messages once it has been downloaded. It appears to be well-made Android software at first glance. However, it is using remote configuration and FCM techniques to conceal ad fraud features.
The parameters of the function to be called as well as other types of information are included in the FCM message. The image below displays some of the history of FCM messages:
The latent function begins to operate once an FCM message is received, and certain requirements are met. It mainly involves going to websites that are sent via FCM message. And browsing them one after another in the background while imitating user behavior. While it makes money for the threat actor who created this malware. It may generate a lot of network traffic and use a lot of power without the users’ knowledge.
Conclusion
Everyone should remove any of the apps from their devices as soon as possible. If they have any of them installed. They seem to be really dangerous!
The mobile advertising ecosystem may face disruptions by clicker malware, which targets illegal advertising revenue. Malicious behavior is cunningly concealed from view. After a predetermined amount of time, malicious actions such as retrieving crawl URL data via FCM messages begin in the background and are hidden from the user.
McAfee Mobile Security can identify and eliminate malicious programs like this one that may be running covertly in the background. Additionally, they advise installing and turning on security software. So, you will promptly get notifications about any mobile threats available on your device. You can anticipate an increased battery life and decreased mobile data usage once you remove this and other harmful applications. While also ensuring that your sensitive and personal data is secure from these and other types of threats. We highly advise you to use a security app and stay away from installing applications from unofficial sources as much as you can.