14 DAY TRIAL // Multiple fake apps in Google Play trick users into installing them and secretly open web pages with adult content to click on advertisements and generate revenue.
To attract unsuspecting Android users, the rogue apps pose as a second version of Dubsmash, a highly popular product installed at least 50 million times.
Smut content loaded in invisible window
Lukas Stefanko from ESET says that the company’s researchers identified nine such apps, one of them being downloaded more than 10,000 times during its three day stay on Google Play that started on May 23.
The behavior of the fraudulent package is similar to a previous case, reported by Avast towards the end of April. After installation, the fake Dubsmash 2 pretends to be a system application or an arcade game, and upon its first launch it hides its icon to make it more difficult to identify.
Its process runs in the background, though, accessing adult pages every 60 seconds and clicking on the ads available. The content is loaded “into WebView inside an invisible window, with a random clicking pattern applied,” Stefanko says in a blog post on Thursday.
New tricks spotted
One modification spotted by ESET is that the Trojan checks if the mobile devices has certain antivirus products installed. It verifies names for packages from a total of 16 vendors, including ESET, Symantec, Avast, Dr. Web and Avira.
“Package names are dynamically requested from server over HTTP. Package names can be easily updated to add other anti-malware applications. When the Trojan is installed it may not yet be detected by all AV solutions, but in many cases AV vendors can block URLs on request if they are found to be malicious,” the researcher explains.
Google removes Trojan, crook has no problem re-uploading
After the removal of the first click-fraud Trojan from Google Play, recording over 5,000 downloads between May 20 and May 22, the crook wasted no time with pushing new fakes, as ESET found fraudulent variants on May 25 and May 26, increasing the number to a total of nine.
Although all of them have been removed, this proves that cybercriminals will find ways around Google’s policies and verification mechanisms to publish unauthorized content in the official Android marketplace.
This sort of trouble can generally be avoided by reading reviews from other users that were duped as well as checking the list of permissions requested at installation.