As many as 16 malicious apps with over 20 million cumulative downloads have been taken down from the Google Play Store after they were caught committing mobile ad fraud.
The Clicker malware masqueraded as seemingly harmless utilities like cameras, currency/unit converters, QR code readers, note-taking apps, and dictionaries, among others, in a bid to trick users into downloading them, cybersecurity firm McAfee said.
The list of offending apps is as follows -
- High-Speed Camera (com.hantor.CozyCamera) - 10,000,000+ downloads
- Smart Task Manager (com.james.SmartTaskManager) - 5,000,000+ downloads
- Flashlight+ (kr.caramel.flash_plus) - 1,000,000+ downloads
- 달력메모장 (com.smh.memocalendar) - 1,000,000+ downloads
- K-Dictionary (com.joysoft.wordBook) - 1,000,000+ downloads
- BusanBus (com.kmshack.BusanBus) - 1,000,000+ downloads
- Flashlight+ (com.candlencom.candleprotest) - 500,000+ downloads
- Quick Note (com.movinapp.quicknote) - 500,000+ downloads
- Currency Converter (com.smartwho.SmartCurrencyConverter) - 500,000+ downloads
- Joycode (com.joysoft.barcode) - 100,000+ downloads
- EzDica (com.joysoft.ezdica) - 100,000+ downloads
- Instagram Profile Downloader (com.schedulezero.instapp) - 100,000+ downloads
- Ez Notes (com.meek.tingboard) - 100,000+ downloads
- 손전등 (com.candlencom.flashlite) - 1,000+ downloads
- 계산기 (com.doubleline.calcul) - 100+ downloads
- Flashlight+ (com.dev.imagevault) - 100+ downloads
The Clicker app, once installed and launched, unleashes its fraudulent functionality that enables the malware to covertly visit bogus websites and simulate ad clicks without the victims' knowledge.
Stay ahead with actionable insights on how ITDR identifies and mitigates threats. Learn about the indispensable role of SSPM in ensuring your identity remains unbreachable.Supercharge Your Skills
"This may cause heavy network traffic and consume power without user awareness during the time it generates profit for the threat actor behind this malware," McAfee researcher SangRyol Ryu said.
To further conceal its true motive, the app takes into account the app's installation time such that the suspicious activity doesn't kick in within the first one hour of downloading the app. It also incorporates a randomized delay in between to stay under the radar.
The findings arrive two months after McAfee discovered a dozen Android adware apps distributed on the Google Play Store, which harbored a malware strain called HiddenAds that were found to execute automatically without any user interaction.
"Clicker malware targets illicit advertising revenue and can disrupt the mobile advertising ecosystem," Ryu said. "Malicious behavior is cleverly hidden from detection."