Security researchers have discovered a batch of ad-fraud-enabling apps that have collectively been downloaded more than 2 million times on the Google Play store. The clever malware is able to impersonate various models of smartphones while it goes wild clicking online ads and draining your battery.
On Thursday, anti-virus provider Sophos published a report describing its discovery of 22 Android apps that contained a variety of malware the company has named “Andr/Clickr-ad.” The apps come from a variety of small developers, and Sophos said that Google removed them from its Play store at the end of November. One of the offending apps, Sparkle Flashlight, had been downloaded more than a million times and many of them had strong reviews, according to Sophos.
The apps would contact a common attacker-controller server, mobbt.com, to download an ad-fraud module, and they would receive a command from the server every 80 seconds, the researchers found. The malware’s job was to open a window that was 0 pixels x 0 pixels in size, and therefore unnoticeable by the user. It would proceed to repeatedly click on ads, juicing the network’s numbers and bringing in fraudulently acquired revenue. No specific ad network that may have benefited from the fraud was identified. While users probably wouldn’t want to participate in this fraud for any reason, the direct consequence for anyone who downloaded these apps is that their data and battery life was constantly being depleted. Even if the app was force-closed, they automatically started up again in the background.
The most interesting part of the ad-clicker for Sophos was that it was able to identify itself as coming from a variety of smartphone models including the iPhone, despite the fact that these were Android-only apps. In total, it was able to masquerade as coming from “Apple models ranging from the iPhone 5 to 8 Plus and from 249 different forged models from 33 distinct brands of Android phones.” This contributed to hiding the fraud, and Sophos speculated that it might have been designed to increase revenues. From the report:
Advertisers will pay a premium to reach the supposedly deep-pocket owners of Apple phones and tablets. As clickfraud grows as a revenue stream for unscrupulous mobile app developers, it turns out that it pays well to lie about what kind of mobile device is fraudulently clicking those ads.
Sophos did say that researchers had discovered some apps on iOS that were by the same developers but did not contain any malicious code.
Mobile ad fraud has become a growing problem that one recent analysis from marketing firm Adjust found has doubled in the last year. While few people will shed a tear over some low-rent boner pill manufacturer losing some ad money, it’s just a simple fact that advertising is the economy that keeps the web running. If it’s devalued and untrustworthy for advertisers, the web as we know it is threatened.
Google did not respond to a request for comment sent by Gizmodo.
Android users should check the list below and make sure they aren’t running any of the battery-draining apps:[Sophos via Ars Technica]