New Clicker Trojan Found Installed in 100 Million Android Users Device From Google Play Store
August 12, 2019 Share

New Clicker Trojan Found Installed in 100 Million Android Users Device From Google Play Store

New Clicker Trojan Found Installed in 100 Million Android Users Device From Google Play Store

A malicious module called Clicker Trojan installed on nearly 1000 million Android phones via Google play store apps such as audio players, barcode scanners, and other software.

Threat actors intended to add this malicious clicker trojan to increase website visit rates by simulating the user actions to clicking on links to earn money on online traffic.

All the malicious programs act as legitimate apps to steal a variety of sensitive data and report to the Command & Control server from infected devices. It collecting the following information.

  • manufacturer and model;
  • operating system version;
  • user’s country of residence and default system language;
  • User-Agent ID;
  • mobile carrier;
  • internet connection type;
  • display parameters;
  • time zone;
  • data on an application containing a trojan.

A Clicker Trojan dubbed Android.Click.312.origin planted in 33 application and hiding the icon after the installation process and requesting too many permission from the victim’s phone.

These applications were developed for not only advertised from Google Play store but its also distributing via websites and the trojan built-in applications to automatically subscribed to expensive content provider services.

Some of the users are frequently reporting in PlayStore that they are charged for some unwanted subscription without their knowledge.

First user comment: “After installation, it subscribes you to paid services! Be careful, do not install this application!!!”

Developer response: “What services? You’re wrong.”

Second user: “After installation, I was subscribed to 5 services and now my phone account is empty.”

User comment: “The moment you log in, it deducts 50 rubles. I don’t know what it is for, please explain.”

User comment: “The moment you log in, it deducts 50 rubles. I don’t know what it is for, please explain.”

According to Dr, Web research, “Since the trojan informs the command and control server about the current Internet connection type, the server can send a command to open a website of a partner service that supports the WAP-Click technology if the device is connected to the Internet via a mobile carrier”

Malicious apps misuse the WAP-Click, a technology that simplifies the subscription to various premium services without letting users know and there is no permission required to subscribe to the unwanted services.

There are nearly 34 apps were uncovered that installed in 51.7 million users device and additionally, a modified version of dubbed Android.Click.313.origin, was downloaded by at least 50 million Android users.

Package name SHA1 Minimal number of downloads
com.a13.gpslock c0ddd6a164905ef6f65ec06ff088a991c01687e9 50,000
com.a13softdev.qrcodereader ea3e521d80730097f2c48dd9f0432749a07b9562 1,000,000 66c75e23ab7169475043cdc120206c06b261349d 10,000,000
com.crics.cricketmazza 1915eb46bd9ee2fe6748deaa0750cee83f72f8e0 1,000,000
com.dictionary.englishurdu 6c1347786aef5beb0060229c043e5c2ab24f1210 5,000,000 b8370356b55b13824eac3f8c0129bc2a00ddaf93 1,000,000 100b7a782cf12c0d08b94b3a8425c972f44f2ddc 100,000
com.galaxyapps.routefinder 4328b4c99dac008e6c509ac1521014faa0dadcc3 5,000,000
com.guruinfomedia.ebook.pdfviewer 0a17c18c49c97cdf558a986037b0e4b0c8592442 100,000
com.guruinfomedia.gps.speedometer 7964ec42624b91280a044024906ce71ec46cc6ea 1,000,000
com.guruinfomedia.gps.speedometerpro eca09c6331129c86e95a64a2f89dce8ad23cfea0 50,000
com.guruinfomedia.notepad.texteditor 88d1c4d118decd4360e6a8abc186965ccc05fe23 1,000,000 c5caf490f8627f510553b9336d62fd28382d22d5 100,000
com.impactobtl.friendstrackerfree 0c7dbdb521efd7354d515e2b24c8f2c61432c4bc 1,000,000
com.impactobtl.whodeletedme 8b901532f3247bdafe84e2d315d900bfe3a91bd6 500,000
com.mapsnavigation.gpsroutefinder.locationtrackers fbe2ac65d1a9c2894821faaff000ea7ac1147cee 1,000,000
com.qibla.compass.prayertimes 034ba8339be985c137108f4064bff4e156817c51 100,000
com.qiblafinder.prayertime.hijricalendar ef8a44cabd1ed8ef37c303c8fc16effb6c28fa5c 1,000,000
com.quranmp3.readquran 9b4a330a6ebe026db5fd13483c1a0a9de4571c89 1,000,000
com.quranmp3ramadan.readquran a870ba7293fc5475b499466a90d9a38a539a645c 500,000
com.ramdantimes.prayertimes.allah b13b296d20f360f8413b49459dc7397799e38763 1,000,000
com.ramdantimes.qibla.prayertimes e74dec8b5ff7d0fa77f21f21fdb49f0e0f3722c7 500,000
com.sdeteam.gsa 4e8112e4e3039e4a8d2479e3acae858deae0c3a1 1,000,000
com.shikh.gurbaniradio.livekirtan 1c69c6cc2714496fb50818b1c46be0ca72086fad 100,000
com.studyapps.mathen 9498a03c48b4802d1e529e42d5dc72a7e2da1593 500,000
com.studyapps.obshestvo 4f2dfe1410b7de8f9301d5c54becfa87d7cdd276 100,000
com.tosi.bombujmanual 8161f174eb43ee98838410e08757dd6dc348b53f 500,000
com.videocutter.mp3converter f9a7b22c2a8c07cf1e878dc625ea60e634486333 1,000,000
com.vpn.powervpn a7dded17f59ad889d949232ee8b5c43d667ca351 1,000,000
liveearthcam.livewebcams.livestreetview 581f505f4a83ad2ff1823dd3477c000788a77829 500,000
qrcode.scanner.qrmaker a53bcd4a4313dee7d6fd226867a005b8549c0227 5,000,000
remove.unwanted.object 22f2690b89e8c1ea0172ced211d3d57f07118bcb 10,000,000
com.ixigo.train.ixitrain 700819680439ce23945f25a20f1be97a1ff7d074 50,000,000

All the above mentioned apps are reported to Google and quickly removed from Google Play. several apps are updated and removed the malicious modules. Dr, web said.

This post New Clicker Trojan Found Installed in 100 Million Android Users Device From Google Play Store originally appeared on GB Hackers.

Read More