Pinterest Stumbleupon Whatsapp

How often do you double check the credentials of a Google Play Store app before you click the buy button? Does it depend on what you’re downloading? What if the app has multiple entries? Popular Google Play Store apps with numerous download options should set your internal alarm bells ringing, and in many cases can be a clear sign malicious entities are at play.

Easily cloned, easily modified, and seemingly easy to bypass Google’s security checks, malicious porn clicker Trojans are masquerading as duplicate apps, waiting to infect your device.

How prevalent are they? What are your chances of downloading a malicious app? What happens if you download one, and most importantly, how can you avoid them?

Porn Clicker Trojans

Porn clicker Trojans are nothing new What Is The Difference Between A Worm, A Trojan & A Virus? [MakeUseOf Explains] What Is The Difference Between A Worm, A Trojan & A Virus? [MakeUseOf Explains] Some people call any type of malicious software a "computer virus," but that isn't accurate. Viruses, worms, and trojans are different types of malicious software with different behaviors. In particular, they spread themselves in very... Read More . Their success is built upon a willingness and naivety of the numerous Android users desperate to download the most popular apps and games for free, with a false belief they can gain something for nothing; yet again we see the common foibles of human nature exploited maliciously.

Researchers for security company ESET identified 343 malicious porn clickers between August 2015and February 2016, with Android malware specialist researcher Lukáš Štefanko commenting “there have been many malware campaigns on Google Play, but none of the others have lasted so long or achieved such huge numbers of successful inflitrations.”

The Trojans are disguised as the most popular apps and games, unsurprisingly ensnaring thousands of users. For a sense of scale, each porn clicker has been downloaded an average of 3,600 times, disguised as My Talkin Angela, My Talkin Tom, GTA: San Andreas, GTA: Vice City, Subway Surfers, Hay Day, Temple Run, and plenty more.

N.B: Mute the below video for your own sanity.

Trojan porn clickers duplicate applications use a variety of product differentiation tactics to distinguish themselves from the real app. Common identifiers include free, 2015, 2016, V1, V2, V3, new version, F2P, and so on, obfuscating its real purpose while remaining as close to the real version as possible. Indeed, the most savvy attackers will copy product descriptions, use identical logos, and attempt to generate positive reviews through other compromised Google Play user accounts before the negative reviews begin to do their work.

Revenue

The primary goal of this malware variant Malware on Android: The 5 Types You Really Need to Know About Malware on Android: The 5 Types You Really Need to Know About Malware can affect mobile as well as desktop devices. But don't be afraid: a bit of knowledge and the right precautions can protect you from threats like ransomware and sextortion scams. Read More is generating revenue. Trojan porn clickers create revenue by clicking on advertisements created by the attackers’ servers, and placed on pornographic websites Which Websites Are Most Likely to Infect You with Malware? Which Websites Are Most Likely to Infect You with Malware? You might think that porn sites, the Dark web or other unsavory websites are the most likely places for your computer to be infected with malware. But you would be wrong. Read More . This happens without the infected user’s knowledge, covertly consuming costly mobile data.

Thankfully, Lukáš Štefanko tested the data consumption of the Trojan porn clickers on two very common devices, a Samsung Galaxy S3 and a Samsung Galaxy S5. He installed a Trojan porn clicker openly found on the Google Play Store on each device, then left the device running for an hour to gauge just how much data would be consumed.
Android Porn Clicker Trojan Data Usage
Štefanko’s test revealed slight variances in the amount of data consumed by the S3 and the S5, though saw an average of 146MB data exhausted within a single hour. Extrapolating, Štefanko believes the Trojan porn clickers can consume more than 3.5GB of data in a single day. Everyday. Until the user realizes something is afoot Has Your Android Phone Been Infected with Malware? Has Your Android Phone Been Infected with Malware? How does malware get on an Android device? After all, most users only install apps through the Play Store, and Google keeps a tight watch over that to make sure malware doesn't squeeze through, right?... Read More , and attempts to stem the data flow How to Remove a Virus from Android Without a Factory Reset How to Remove a Virus from Android Without a Factory Reset If your Android phone or tablet is infected with a virus or malware, it is possible to clean it up without losing your data -- here's how. Read More .

HummingBad Variant

If the threat of duplicate applications harboring malicious code wasn’t bad enough, security researchers have also discovered an active Android malware, spread via an ongoing malvertising campaign What Is Malvertising and How Can You Protect Yourself? What Is Malvertising and How Can You Protect Yourself? Beware: malvertising is on the increase, representing a considerable online security risk. But what is it, why is it dangerous, where is it hiding, and how can you stay safe from malvertising? Read More . The HummingBad malware infiltrates a victims device through infected advertisements displayed on pornographic websites.

Once on the device, the HummingBad malware installs a rootkit, enabling an attacker to cause severe and prolonged damage to the users device, installing key-loggers, stealing data, capturing credentials, and if given chance, bypassing encrypted email containers. Andrey Polkovnichenko and Oren Koriat, two members of the Check Research Point Team who discovered the HummingBad malware further explained its chain of attack:

“The malware then checks if the device is rooted or not. If the device is rooted, the malware continues straight to act on its objective. If the device is not rooted, the parent malware XOR decrypts a file from its assets called right_core.apk (every character is XORed against 85). The right_core.apk then decrypts a native library from a file called support.bmp. This native library is used to launch multiple exploits in an attempt to escalate privileges and gain root access.”

As with most malware, Android-based or not, once up and running the malware dials home to a command and control server for further instructions, some of which install further malicious apps, others which drive fraudulent traffic to different advertising servers, creating revenue.

An Ongoing Problem

The major issue, aside from the actual Trojan porn clickers themselves, is the rate at which these malicious apps are slipping through the net and ending up on the Google Play Store. Once they are accepted, it is almost inevitable someone will download and activate the app, granting the attackers much needed revenue.

Google do have a Bouncer filter, designed to catch and curtail commonly submitted malicious code. The Google Play Store also has a human review process designed to stop Are App Stores Really Safe? How Smartphone Malware Is Filtered Out Are App Stores Really Safe? How Smartphone Malware Is Filtered Out Unless you've rooted or jailbroken, you probably don't have malware on your phone. Smartphone viruses are real, but app stores do a good job of filtering them out. How do they do this? Read More any malicious apps reaching our devices.

Furthermore, Android has an inbuilt “Verify Apps” setting designed to block the installation of any app that could potentially cause harm to the user device. This is usually to stop any malicious APKs installing, though security researchers have noted the system only comes into play if the app has previously been removed from the Google Play Store. As each duplicate app contains a slight tweak on the active malicious code, as well as obfuscation tactics for longevity, their true purpose remains obscured. These systems are obviously not working.

However, there is one safeguard any user can take heed of: negative user reviews. As one of the only security systems that can be overawed by sheer weight of real users, not enough victims are committing their own due diligence and reading user reviews. Negative reviews usually happen for a reason.

In the case of malicious apps, users who have unfortunately been stung provide a much needed, though oft ignored safety net. You only have to look at the serious numbers of downloads to understand just how many people ignore the negative reviews, proceeding to download a malicious app when all the signs are screaming STOP.

You Can Stay Safe

Another facet of the issue is education Smartphone Viruses Are Real: How To Stay Protected Smartphone Viruses Are Real: How To Stay Protected Read More . I always check the reviews before downloading. It seems extremely obvious to me, and anything with a massive amount of negative reviews, or swimming in one star ratings is, at least to me, a massive no-no.

Grand Theft Auto San Andreas Google Play Store Entry

Others are not so easily dissuaded. But you should take those few precious minutes to double check an app before downloading:

  • Check the app reviews. If they’re terrible, don’t download it!
  • Check for duplicates of the app. There should only be one version!
  • Check the developer name and number of downloads. An extremely popular app will have millions of downloads alongside the expected developer name e.g. GTA: San Andreas has Rockstar Games as the named developer, over 175k reviews in total, and just under 1,000,000 downloads — as you would expect from an extremely popular title.
  • Check the app names for differentiators such as free, 2015, 2016, V1, V2, V3, new version, and F2P, and cross-reference them online.
  • Check “[app name]+malware” in a Google search. It should quickly reveal any ongoing malware campaigns.
  • Check “[app name]+sale” in a Google search. Paid apps don’t suddenly become free. It isn’t unheard of, but is certainly uncommon.

Finally, Android and other mobile malware is on the rise. Just as we are seeing a surge in advanced ransomware on laptops and PCs, attackers are intelligent to common vulnerabilities in the most popular operating systems — as well as the obvious flaws in the human psyche. Don’t let yourself become part of the statistic!

Have you been victim to an Android porn clicker? How did you realize, and how did you get rid of it? Let us know below!

Leave a Reply

Your email address will not be published. Required fields are marked *