Majority of fraudulent apps have a backdoor opened from where they receive instructions from a command and control server. This becomes a great risk for its user.
Google Play Store removed 22 apps for having fraud click scripts
Researchers from Sophos discovered two dozen apps having fraud automated click scripts. Such apps having fraud automated click scripts disguise the fraudulent clicks and advertisements from the user. It also hides the advertisements clicked-on by users as well as the identity of the app along with the device’s OS. Just after the discovery of these apps, the Google Play Store removed them last month for violating its policies.
According to Sophos researchers, these apps were disguising all requests as from iOS for getting higher per-click revenue. Many advertisers pay higher and premium rates for reaching users of Apple devices because of the parody that Apple users have extra funds than Android users. As per Sophos research, these apps have over 2 million downloads. Even after these apps were removed from the Play Store, already downloaded apps will continue to stay on phones and tablets unless users uninstall them manually.
How does it work?
These apps receive instructions from a command and control server. Such a server sends instructions to the app through an unencrypted HTTP connection in every 10 minutes duration to control the app. These instructions automatically request ad networks through a fake user-agent string, opens ad, clicks them, and closes the app. They perform all these things in a zero-pixel window so that the user is completely unaware of its happening. The fake user-agent string is used to avoid any impression of fraud.
Sophos believed that the collected data comes from the Apple iPhone 5 to 8 Plus devices. It also includes over 249 Android models from 4.4.2 to 7.x android versions. All these data come from popular devices in the market from about 33 different brands.
With such a script, the device owner is completely unaware of the situation. Users may find their data usage higher than the average and reduction in battery life. Even if we force close these apps, they automatically start using scheduled tasks at boot time.
An unencrypted HTTP connection can also transmit other malware. Though Google Play Store has removed these apps, the command and control server continue to exist.
Let’s have a look at malicious apps that were removed
1. Snake Attack
2. Take A Trip
3. Zombie Killer
4. Table Soccer
5. Space Rocket
7. Sparkle Flashlight
8. Join Up
9. Just Flashlight
10. Jelly Slice
11. Box Stack
12. Shape Sorter
13. Color Titles
14. Roulette Mania
15. AK Blackjack
17. Animal Match
20. Neon Pong
21. Cliff Dive
22. Math Solver
The design of these apps was such that it hid fraudulent clicks along with the advertisement clicks. It hid the identity of both the apps and the OS of the device.
Sophos found 22 Android apps on the Google Play Store having fraud click scripts, which automatically load and click on hidden ads. Google Play Store removed these apps, but devices that had them are still vulnerable. So, if you have any of the above apps installed on your phone, make sure you remove them to avoid any issues.