McAfee has reported that 16 malicious apps have been removed from the Google Play store, with a total of over 20 million downloads. All of these applications were infected with Clicker adware and disguised as harmless utilities.
The researchers say that Clicker could be downloaded under the guise of a flashlight, a camera, a currency or unit of measure converter, a QR code scanner, a note-taking app, or a dictionary.
The full list of dangerous applications is as follows:
- High-Speed Camera (com.hantor.CozyCamera) – over 10,000,000 downloads;
- Smart Task Manager (com.james.SmartTaskManager) – over 5,000,000 downloads;
- Flashlight+ (kr.caramel.flash_plus) – over 1,000,000 downloads;
- 달력메모장 (com.smh.memocalendar) – over 1,000,000 downloads;
- K-Dictionary (com.joysoft.wordBook) – over 1,000,000 downloads;
- BusanBus (com.kmshack.BusanBus) – over 1,000,000 downloads;
- Flashlight+ (com.candlencom.candleprotest) – over 500,000 downloads;
- Quick Note (com.movinapp.quicknote) – over 500,000 downloads;
- Currency Converter (com.smartwho.SmartCurrencyConverter) – over 500,000 downloads;
- Joycode (com.joysoft.barcode) – over 100,000 downloads;
- EzDica (com.joysoft.ezdica) – over 100,000 downloads;
- Instagram Profile Downloader (com.schedulezero.instapp) – over 100,000 downloads;
- Ez Notes (com.meek.tingboard) – over 100,000 downloads;
- 손전등 (com.candlencom.flashlite) – over 1000 downloads;
- 계산기 (com.doubleline.calcul) – over 100 downloads;
- Flashlight+ (com.dev.imagevault) – 100+ downloads.
Once installed and launched, these apps did provide users with the features they claimed, but they also secretly downloaded additional ad fraud-related code.
Infected devices received messages via Google’s Firebase Cloud Messaging platform, in which they were ordered to open certain pages in the background and follow links, artificially inflating clicks on the desired ads.
“This could lead to heavy consumption of network traffic and energy consumption without the knowledge of the user, and was also profitable for the attackers behind this malware,” the experts write.
All malicious applications were shipped with the com.liveposting library, which launched hidden adware malware services. Also, some applications came with an additional com.click.cas library, which focused on the functionality of automatic clicks. To hide suspicious behavior, once installed, the malicious utilities waited about an hour before running these libraries.
Currently, all listed applications have already been removed from Google Play.