Android Clicker

Infosec researchers discovered infected applications spreading clicker malware on the Google Play store. The 16 corrupted applications found on the store are estimated to have been downloaded approximately 20 million times. The fraudulent programs carried a new mobile threat tracked as Android/Clicker. The researchers who released a report about the malware notified Google, and as a result, all of the applications carrying the payload were removed from the Play Store.

The numerous, threatening applications were presented to users as seemingly legitimate software products that provided genuinely useful functions - flashlights, cameras, task managers, QR Readers and unit/measurement converters. However, once the application is downloaded and opened, it executes an HTTP request to fetch its remote configuration. Afterward, it registers a Firebase Cloud Messaging (FCM) listener, allowing it to receive push messages from the attackers.

Threatening Capabilities

When fully established, Android/Clicker is capable of opening arbitrary websites in the background of the breached device. Most users would not even notice that such activities take place on the device, as the malware would activate itself only when the device is idle and not in use. It also would wait for at least an hour after its installation before running the fraudulent activities. Two major components of the threat have been analyzed - a library named 'com.click.cas' will be responsible for the automated clicks, while a different library named 'com.liveposting' focuses on running hidden adware activities.

In general, the operators of Android/Clicker could earn revenue through fraudulent clicks on affiliated websites. Devices impacted by the threat could suffer diminished performance and reduced battery life. Depending on the Internet plan of the victim, the malware also could cause additional mobile data fees.