December 10, 2018 at
New reports claim that 22 more apps with over 2 million confirmed downloads were recently removed from Google Play Store. The reason behind the removal was the discovery of a device-draining backdoor provided them with the ability to access hacker-controlled servers and download files from them.
One app, Sparkle Flashlight, has been a part of the play store since 2016/2017, and it has had a million downloads during this time, according to Sophos, a known antivirus provider. The secret downloader was supposedly added to Sparkle and two other apps back in March of this year. As for the rest of the apps, 19 of them became available in June and were confirmed to have had the downloader from the start.
Google removed the apps only recently, in late November. At that time, they were used in a scam revolving around continuously clicking on various ads. Sophos has organized the infected apps in an “Andr/Clickr-ad” family, which were starting as soon as they were downloaded on a device. Even if users chose to force-close them, the apps were still operational.
Not only that, but they consumed large amounts of bandwidth, and have also drained batteries. Sophos researchers wrote about the apps in their statement, saying that the app family is very well-organized, with persistent malware that can cause harm to users and their devices. Furthermore, it also harms companies that pay for having their ads posted, as the false clicks end up in companies counting on fake clients.
As for users themselves, battery drain and potential for downloading additional malware onto the device are a constant threat.
How do these apps function?
The apps are tasked with reporting to a domain controlled by their attacker or attackers. From there, they would download ad-fraud modules onto the phone, and in addition, every 80 seconds, the app would receive specific instructions regarding what to do next.
Downloaded modules would cause the phone to constantly click on the links that host ads. Users never noticed anything due to the fact that the ads were displayed in a window that was made to be zero pixels high and zero pixels wide.
Furthermore, the apps were also capable of tricking advertisers into thinking that the clicks are coming from a larger group of real users. This was done by manipulating user-agent strings, which caused the effect of different apps running on different phones.
This also included iPhones, according to Sophos’ report, including models from iPhone 5 to 8 Plus. As for Android phones, around 249 different devices and 33 brands were noticed by researchers. The false data is believed to have been used for several purposes, including higher prices for iPhone labels, as well as the fake increase in a number of devices that were clicking on the ads.
The point was to ensure that the attacker makes a maximum profit via these apps. They went to great lengths to achieve this, and they even made sure that the apps will automatically start running even if the phones end up being rebooted. If the app is force-closed, it would restart only three minutes later, while checking for new instructions occurred every 80 seconds, as mentioned.
This is only the last in a long string of similar discoveries within the Play Store. Despite Google’s efforts to eliminate malicious apps, new ones are constantly being found, often as part of large campaigns, but sometimes also on their own. While Google reacted quickly when it discovered the apps, numerous phones that have already downloaded them are still believed to be infected.