Playstore  - ahSAK1544427657 - These 22 Apps in Playstore Drained Your Battery & Steal Personal Data

Researchers discovered malicious Android that uploaded in Google with Sophisticated click fraud functionality affected around 2 million Android users.

Some of the malicious apps are unnoticed for a month and year, some of the apps were uploaded in June 2018 and one of the malicious flashlight apps alone downloaded around 1 million users.

Attacker created these ad-clicker malware apps with more persistent functionality and flexible than other earlier versions.

- sparkle flashlight screen - These 22 Apps in Playstore Drained Your Battery & Steal Personal Data

Many of the apps contain downloader functionality and it using command and control server in order to retrieve the files.

Attackers send the direct instructions via C&C server to the malware apps that act like a normal ad that showing by legitimate apps.

Also they are using specific click fraud tools to report to the network using specific models of both Android and iOS phones and also full-screen ads are annoying users to create more attention and force then to click on it.

The affected user can experience malicious activities when the app using a high amount of and consume the phone’s power.

These all the malicious apps generate fraudulent requests that cost ad networks significant revenue using the fake clicks.

Click Fraud apps Working Methods

Intially once it’s launched, it just starts communicating with its C&C server by sending an HTTP GET request and servers return the  “sdk” commands along with URL to download an “sdk” module.

- res - These 22 Apps in Playstore Drained Your Battery & Steal Personal Data

In this case, c2 module keeps checking the time interval in “exp” filed and it keeps connecting with every 10 min to get its sdk again.

Another module called  “mpb” perform the ad-clicking and instruction from the C2 server and also server replies on another JSON structure that contains the parameters it will use to download the advertisement.

According to SOPHOS research, In our tests, we have observed both Android and iOS apps and User-Agent strings in the “pkg” field. So far, all these apps seem to be coming from a small number of developers.
It may be that all these developers are currently boosting each other’s ad income. But this architecture can potentially be used as a service to generate ad revenue for other apps as well.

Also researchers found the same developers who placed their malicious apps through iTunes Store.

In order the decrease the chance of detecting any suspicion from the Ad network, attackers forcing User-Agent and device fields generated network traffic looks like genuine traffic that originates from real devices.

The click fraud remains persistent, even when the user forces the app to quit and Out of 22 apps, 19 apps were created after June 2018. Most of them have contained this “sdk” downloading function since the first version. Researchers said.

IOC – Malicious Apps List

Package Name
Title
Sha1
com.sparkle.flashlight
Sparkle FlashLight
9ed2b260704fbae83c02f9f19a2c4e85b93082e7
com.mobilebt.snakefight
Snake Attack
0dcbbae5d18c33039db726afd18df59a77761c03
com.mobilebt.mathsolver
Math Solver
be300a317264da8f3464314e8fdf08520e49a55b
com.mobilebt.shapesorter
ShapeSorter
e28658e744b2987d31f26b2dd2554d7a639ca26d
com.takatrip.android
Tak A Trip
0bcd55faae22deb60dd8bd78257f724bd1f2fc89
com.magnifeye.android
Magnifeye
7d80bd323e2a15233a1ac967bd2ce89ef55d3855
com.pesrepi.joinup
Join Up
c99d4eaeebac26e46634fcdfa0cb371a0ae46a1a
com.pesrepi.zombiekiller
Zombie Killer
19532b1172627c2f6f5398cf4061cca09c760dd9
com.pesrepi.spacerocket
Space Rocket
917ab70fffe133063ebef0894b3f0aa7f1a9b1b0
com.pesrepi.neonpong
Neon Pong
d25fb7392fab90013e80cca7148c9b4540c0ca1d
app.mobile.justflashlight
Just Flashlight
6fbc546b47c79ace9f042ef9838c88ce7f9871f6
com.mobile.tablesoccer
Table Soccer
fea59796bbb17141947be9edc93b8d98ae789f81
com.mobile.cliffdiver
Cliff Diver
4b23f37d138f57dc3a4c746060e57c305ef81ff6
com.mobile.boxstack
Box Stack
c64ecc468ff0a2677bf40bf25028601bef8395fc
net.kanmobi.jellyslice
Jelly Slice
692b31f1cd7562d31ebd23bf78aa0465c882711d
com.maragona.akblackjack
AK Blackjack
91663fcaa745b925e360dad766e50d1cc0f4f52c
com.maragona.colortiles
Color Tiles
21423ec6921ae643347df5f32a239b25da7dab1b
com.beacon.animalmatch
Animal Match
403c0fea7d6fcd0e28704fccf5f19220a676bf6c
com.beacon.roulettemania
Roulette Mania
8ad739a454a9f5cf02cc4fb311c2479036c36d0a
com.atry.hexafall
HexaFall
751b515f8f01d4097cb3c24f686a6562a250898a
com.atry.hexablocks
HexaBlocks
ef94a62405372edd48993030c7f256f27ab1fa49
com.atry.pairzap
PairZap
6bf67058946b74dade75f22f0032b7699ee75b9e

 

You can follow us on LinkedinTwitterFacebook for daily updates also you can take the Best Cybersecurity courses online to keep your self-updated.





Source link

LEAVE A REPLY

Please enter your comment!
Please enter your name here