Porn clicker trojans at Google Play: An analysis

Malicious porn clickers are mostly fake versions of popular games with very similar names and icons to legitimate applications. For instance, there were more than 30 bogus Subway Surfers and more than 60 fake GTA applications.

These apps have nothing in common with the official Subway Surfers or GTA games. The trojans were mostly devoid of any legitimate functionality and took advantage of having been given similar names to those of popular applications.

_iconsFinal6

Figure 1 – Malicious apps on Google Play

Based on data found on the attackers’ servers, which generates the ads, there were clearly many more trojan clickers. It’s hard to determine whether all of those apps were on the Play Store – perhaps they were only hosted on third-party stores. We found references to 187 applications aside from those apps already discovered on the Play Store. All the package names can be found in the appendix.

Some versions of these porn clickers have implemented an antivirus check on the installed apps. If antivirus software is installed on the device, then the malicious functionality will not be triggered. This method is explained in a previous We Live Security article. The latest version of this porn clicker contains a list of 56 security applications whose presence is checked for on the device.

Figure 1 - A list of antivirus or security applications

Figure 2 – A list of antivirus or security applications

Over time, as some of these porn clickers were repacked and uploaded to the Play Store, they changed the app’s name, icon or even its developer’s name, while the package name stayed the same.

Figure 2 - Developer apps before

Figure 3 – Developer apps before

Figure 3 - Developer apps after

Figure 4 – Developer apps after

A more interesting app name in combination with a popular icon can obviously lead to even more downloads and, of course, more profit for the developer.

How to stay secure

In cases like this, where the malware pretends to be a newly-released game with a fake app name and fake icon (My Talking Tom 3, GTA 2016, Temple Run 3 …), it’s very important to read user reviews. Many of these trojan porn clickers have received bad reviews and a lot of negative comments from users who had already been scammed.

Even if users have no doubt before installation, we advise them to read the reviews and to reconsider downloading the application if there are many negative ratings. In most of these porn clicker cases there are more negative than positive reviews.

Figure 4 - Negative users review

Figure 5 – Negative users review

After reading such comments, users should be more aware of the potential risk and reconsider the installation of the application. In any case, we advise, users to have up-to-date security solutions, which should stop such threats from being installed onto their devices.

Figure 5 - Negative comments from Google Play

Figure 6 – Negative comments from Google Play

On the other hand, Google detects many of these trojan-clickers when its own ‘Verify apps’ option is enabled; this system blocks installation of applications that may cause harm. Unfortunately, it seems that such apps are often only detected after they are removed from the Play Store.

Figure 6 - Google apps verification system

Figure 7 – Google apps verification system

Consequences

Trojan porn clickers have infected a lot of Android devices in order to earn money for the criminals who created the malware. Hopefully these particular fake applications will no longer evade detection by the Play Store’s app evaluation process. Unfortunately, servers providing advertisement links are still accessible, so maybe this won’t be the last time we will hear about the trojan porn clicker.

Details

Details such as Google Play data, hashes, and remote servers can be found in our appendix.

Tell us your experience:

Author Lukas Stefanko, ESET

Follow us

Copyright © 2016 ESET, All Rights Reserved.