The term PreAMo refers to a massive ad clicker campaign enabled by applications on the Google Play Store. Cybersecurity researchers discovered the PreAMo clicker campaign in April 2019 while investigating questionable clicks on advertisements from the ad networks Presage, Admob and Mopub. One of the most downloaded apps associated with PreAMo is the 'RAM Master - Memory Optimizer' published by 'Pic Tools Group,' which has over 90 million downloads. The PreAMo campaign consists of three modules each tailored to exploiting advertisements by Presage, Admob and Mopub. The unifying factor here is that the corrupted applications are communicating with only one command server at — res.mnexuscdn[.]com.
The PreAMo malware monitors banners loaded in a corrupted app and simulate user interaction. The PreAMo malware seeks out the content provided by Presage, Admob, and Mopub by running a listener service. The hackers behind the PreAMo ad clicker campaign abuse the 'MotionEvent' function in Android to simulate user clicks. The PreAMo author uses three monitoring services to target advertisements provided by Presage, Admob and Mopub. The PreAMo malware is programmed to check with the command server for the necessary configurations regarding ad placement and timed display. The actors behind the PreAMo ad clicker tactic simulate organic ad traffic given the high income that ad networks provide actively. Android users are not likely to notice PreAMo activity since the clicks happen in the background. You can take steps to avoid compromised applications by installing a security solution from a credible developer, check application reviews and related application developer information.