14 DAY TRIAL // A fake second version of the video messaging Dubsmash made it into Google’s official app store, seeking victims for running a click-fraud operation that accessed links on adult websites every 60 seconds.
Crooks behind Dubsmash 2 preyed on the popularity of the original app (it has between 10 and 50 million downloads), whose fame increased once celebrities such as Reese Witherspoon, Sofía Vergara or Hugh Jackman started using it.
Naughty app tries to remove its traces
Once the rogue variant reaches the device, it runs as “com.table.hockes” and adds an icon that claims to lead to a settings panel. This way, its author(s) ensures that the app is not easily found and removed.
Researchers at Avast analyzed Dubsmash 2 and noticed that it started automatically when a connection to the Internet was detected. The next step was to contact an encrypted URL for receiving permission to begin its activity: if the reply contains the character “1,” two services are deployed: MyService and Streaming.
One of the actions taken by the former is to delete the app’s icon. At the same time, a task is scheduled to run in the background every minute, which added to the phone a list of adult sites and a JavaScript.
Click-fraud activity carried out stealthily in the background
The click-fraud activity starts with a website launched in the web browser followed by the execution of the JavaScript code with a 10-second delay, whose purpose is to access the links on the loaded page.
In the case of “Streaming” service, the activity is not hidden in the background and could be spotted. Aside from this, it would also run a task every 60 seconds.
“The task would check for changes in the device’s IP address or date. If either of them had changed, a video would launch in the device’s YouTube app. The YouTube app needed to be installed on the device for this to function properly. The video address was also obtained from an encrypted URL,” researchers say.
Following the analysis of the piece, Avast believes that the mischievous app originates from Turkey and suspects that the main goal is to earn its author money by clicking on advertisements.
Although Dubsmash 2 is not a direct risk, as it does not attempt to steal information from the compromised device, it still represents a risk to the user. Avast notified Google and the rogue app was booted from Play store.
The app hides under the name "Settings IS;" removing it from the device can be done by simply uninstalling it.