A new variant of Clicker trojan was found infecting over 100 million Android users. Read on to know more about it…
Doctor Web virus analysts have detected another such trojan on Google Play. A new variant of Clicker trojan was found infecting over 100 million Android users. The apps were all functional and include common applications like dictionaries, online maps, audio players, and barcode scanners.
Clicker trojans are widespread malicious programs, designed to increase website visit rates and earn money on online traffic. They simulate user actions on web pages by clicking on links and other interactive elements.
The trojan is a malicious module, which, according to Dr.Web classification, was dubbed Android.Click.312.origin. It is built into ordinary applications, such as dictionaries, online maps, audio players, barcode scanners, and other software. All these programs are operable and look harmless to Android users. Additionally, Android.Click.312.origin only starts its malicious activity after 8 hours after launch, so as not to raise suspicion.
Apart from Android.Click.312.origin, Doctor Web has also identified a new version of Clicker named Android.Click.313.origin trojan. The malware variant has been downloaded by at least 50 million people.
The malware is distributed via 34 malicious apps related to dictionaries, online maps, audio players, barcode scanners and other software. The malicious apps carrying the trojan is not only advertised from Google Play Store but it is also distributed via third-party websites. Some of these apps charge users for an unwanted subscription without their knowledge. The malicious apps misuse the WAP-Click technology when the device is connected to the internet via a mobile carrier.
Once the Clicker trojan is activated, the trojan sends information about the infected device to the C&C server. The information sent by Clicker trojan are namely manufacturer and model, operating system version, user’s country of residence and default system language, User-Agent ID, mobile carrier, internet connection type, display parameters, time zone, data on application containing trojan. To avoid detection, the apps start any malicious activity after 8 hours from their installation.
“The Trojan is a malicious module that, according to Dr.Web classification, is named Android.Click.312.origin . It is built into ordinary applications – dictionaries, online maps, audio players, barcode scanners and other software.” reads the analysis published by the experts. “All these programs are workable, and for owners of Android devices look harmless. In addition, upon their launch, Android.Click.312.origin starts malicious activity after only 8 hours, so as not to cause suspicion among users.”
The Command & Control server, in turn, sends the necessary settings to the malware. The Trojan remains active in the memory of infected devices and allows to execute multiple malicious activities such as advertising applications on Google Play, downloading any sites, displaying advertisements or other content, subscribing users to expensive premium services.
Virus analysts recommend that developers responsibly choose modules to monetize their applications and not integrate dubious SDKs into their software. Dr.Web for Android successfully detects and removes applications that have the known modifications of Android.Click.312.origin embedded into them, so it poses no threat to our users.