22 Android Click Fraud Apps With Over 2 Million Downloads Deleted From Google Play Store

Fraudulent applications rely on an open backdoor to receive instructions from a command and control server, exposing users to greater potential danger.

Just under two dozen apps containing automated click fraud scripts were discovered by Sophos researchers, leading to their removal from the Google Play Store last month. The click fraud scripts employed by these applications were designed to hide fraudulent clicks – and the ads that users click on – as well as to hide the identity of the requesting application and the operating system of the user. device itself.

Sophos researchers postulate that these Android apps masked requests as coming from iOS for higher click-through rates. Advertisers are willing to pay extra to reach Apple device users on the pretext that Apple users have more funds available than Android users. According to Sophos, the apps have been downloaded over 2 million times. Although they have been removed from the Play Store, previously downloaded apps have not been removed from phones and tablets.

SEE: Digital Transformation in 2019: A Business Owner’s Guide to Future Challenges and Opportunities (Tech Pro Research)

The click fraud script for these applications receives instructions from a command and control server, which transmits instructions to the application over an unencrypted HTTP connection every 10 minutes. From these instructions, it generates requests to ad networks with a fake user agent string, then opens, clicks, and closes those apps in a zero pixel window. The fake user-agent chain is intended to randomize requests to avoid raising suspicion of fraud.

According to Sophos, the spoofed data claims to come from “Apple models ranging from the iPhone 5 to 8 Plus, as well as 249 different spoofed Android models from 33 separate brands, allegedly running Android OS versions ranging from 4.4.2 to 7. . x. This variety covers most popular mobile devices on the market. “

Due to this design, fraudulent behavior is essentially transparent to the device owner, although users would see above average data usage and reduced battery life due to increased activity of the device. network. Even when one of the apps is forcibly closed, the app is restarted using scheduled tasks and launches on startup.

Although the unencrypted HTTP connection has not been observed to deliver other malware payloads, it can be used for this purpose, and the command and control server used is still active despite the removal of these applications. from the Google Play Store.

The full list of affected apps is available from Sophos.

The main points to remember for technology leaders:

  • 22 Android apps on the Google Play Store had click fraud scripts, which load and click on hidden ads. -Sophos, 2018
  • The apps have been removed from the Google Play Store, but the devices with the affected apps are still vulnerable. -Sophos, 2018

Also look


Image: Google

Sam D. Gomez