14 DAY TRIAL // A group of 22 Android applications from the Google Play store was used in an advertising clickfraud scheme faking genuine ad traffic by randomizing the device and User Agent information.
As reported by Sophos, the apps that were installed more than 2 million times by Android device owners were used by the masters of the operation to generate fraudulent ad traffic by faking clicks.
"The ad calls do not result in the expected, disruptive, full-screen ads that would otherwise annoy the user of the device and draw attention to the app," states Sophos' analysis. "Instead, malicious ad calls are made in a hidden browser window, inside of which the app simulates a user interaction with the advertisement."
Moreover, the ads will be retrieved and "visited" continuously after the malicious applications are installed, which made Sophos upgrade their threat level from "potentially unwanted" apps to malware.
"Operating under the guise of playable games and functioning utilities, the apps also have downloader capabilities, if the command-and-control server instructs them to retrieve other files," says Sophos.
Once connected to their C2 servers, the apps were instructed to "to send ad requests pretending to originate from a variety of apps (that are otherwise unrelated to these apps) running on a wide range of mobile phone models."
The malicious apps drain the batteries and consume the monthly mobile data quotas
Sophos' research team discovered that the C2 servers sent enough device and app profiles to allow the apps to fake their device info as Apple phone models ranging from the iPhone 5 up to the 8 Plus.
In addition, the apps received instructions to fake the ad traffic as coming from 249 Android models made by 33 different brands, powered by Android versions from 4.4.2 to 7.x.
The malware dubbed by Sophos Andr/Clickr-AD comes with the potential of harming the infected phones and tablets seeing that they will drain both the battery and the bandwidth of the Android devices while receiving commands from the bad actors behind them.
Additionally, the malicious apps can be used to install other malware on the compromised devices with the help of the built-in downloader modules.
"When compared to known ad-clicker malware, the new functionality in these apps showed significant improvements: they were better at remaining persistent, more flexible, and more deceptive than earlier generations," concluded Sophos' Chen Yu.
We discovered a cluster of Android apps used for clickfraud. Big whoop, right? Except these apps told advertising networks the fake clicks were coming from an iPhone.TIL: Some ad networks pay a premium for Apple user clicks. Clickfraud for big cheddar https://t.co/XMcF3SRsCo pic.twitter.com/m4kMlhPbx3 — SophosLabs (@SophosLabs) December 6, 2018
