Android Clickfraud Apps Pose As iPhones To Make Extra Cash

Security firm Sophos has identified 22 Android apps that have been compromised with malware to enable advertising click fraud.

The apps, which collectively have been downloaded more than two million times on the Google Play store, are able to impersonate various models of smartphones including the Apple iPhone and iPad.

By being able to masquerade as being hosted on Apple devices means that these malicious Android apps are able to earn extra rewards, as advertisers will pay a premium to reach the supposedly wealthy owners of Apple phones and tablets.

Android apps

The apps found by Sophos had been hosted on Google Play until last month, but Google has now removed them.

Sophos has labelled these fraudulent apps as ‘Andr/Clickr-AD’.

Essentially, they utilise advertising click fraud. This is where a malicious app or process bombards websites with false traffic to earn advertising revenue.

Sophos says it is a rapidly growing form of cybercrime on mobile and can be difficult to detect.

Advertising click fraud will also drain the battery more rapidly, as well as use a significantly greater amount of data.

“Three of the apps dated back at least a year, and one of them (a flashlight app) had been downloaded at least a million times, but the majority of these malicious apps were created during or after June, 2018,” said Sophos. “The three oldest apps didn’t start out evil, but they seem to have been Trojanized with the clickfraud code added into the apps at around the same time, in June.”

“Google took action and removed the apps from the Play Market during the week of November 25th,” the firm said. “The apps can no longer be downloaded from the official Google store, but the C2 infrastructure remains active. Apps from this collection (listed at the end of this post) that remain installed on devices may still be delivering a constant revenue stream to the apps’ creators by continuing to defraud advertising networks.”

Disguising malware

The way these infected app works is by contacting a common attacker-controller server to download an ad-fraud module or SDK.

This module would receive a command from the server every 80 seconds to open a window that was zero pixels x zero pixels in size, which is thus unnoticeable by the user. It would then proceed to repeatedly click on ads, to inflate numbers and bring in fraudulently-acquired revenue.

The truly devious nature of these apps is that they can pretend to be coming from a variety of smartphone models including the Apple iPhone.

“Andr/Clickr-ad is a well-organised, persistent malware that has the potential to cause serious harm to end users, as well as the entire Android ecosystem,” noted Sophos. “These apps generate fraudulent requests that cost ad networks significant revenue as a result of the fake clicks.”

“From the user’s perspective, these apps drain their phone’s battery and may cause data overages as the apps are constantly running and communicating with servers in the background,” it said. “Furthermore, the devices are fully controlled by the C2 server and can potentially install any malicious modules upon the instructions of the server.”

Do you know all about security? Try our quiz!