As many as 16 malicious apps with over 20 million cumulative downloads have been removed from the Google Play Store after they were caught committing mobile advertising fraud.
The Clicker malware masquerades as seemingly harmless tools such as cameras, currency/unit converters, QR code readers, note-taking apps and dictionaries, among others, in an attempt to trick users into downloading them, cyber security firm McAfee said.
The list of offending apps is as follows –
- High Speed Camera (com.hantor.CozyCamera) – 10,000,000+ downloads
- Smart Task Manager (com.james.SmartTaskManager) – 5,000,000+ downloads
- Flashlight+ (kr.caramel.flash_plus) – 1,000,000+ downloads
- 달력메모장 (com.smh.memocalendar) – 1,000,000+ downloads
- K-Dictionary (com.joysoft.wordBook) – 1,000,000+ downloads
- BusanBus (com.kmshack.BusanBus) – 1,000,000+ downloads
- Flashlight+ (com.candlencom.candleprotest) – 500,000+ downloads
- Quick Note (com.movinapp.quicknote) – 500,000+ downloads
- Currency Converter (com.smartwho.SmartCurrencyConverter) – 500,000+ downloads
- Joycode (com.joysoft.barcode) – 100,000+ downloads
- EzDica (com.joysoft.ezdica) – 100,000+ downloads
- Instagram Profile Downloader (com.schedulezero.instapp) – 100,000+ downloads
- Ez Notes (com.meek.tingboard) – 100,000+ downloads
- 손전등 (com.candlencom.flashlite) – 1000+ downloads
- 공이기 (com.doubleline.calcul) – 100+ downloads
- Flashlight+ (com.dev.imagevault) – 100+ downloads
The Clicker app, once installed and launched, unleashes its fake functionality that enables the malware to covertly visit fake websites and simulate ad clicks without the victims’ knowledge.
“This can cause huge network traffic and consume power without user awareness during the time it generates profit for the threat actor behind this malware,” said McAfee researcher SangRyol Ryu.
To further hide its true motive, the app takes into account the app installation time so that the suspicious activity does not start within the first hour of downloading the app. It also has a randomized delay in between to stay under the radar.
The findings come two months after McAfee discovered a dozen Android adware apps distributed on the Google Play Store, which contained a malware strain called HiddenAds that were found to run automatically without any user interaction.
“Clicker malware targets illegal ad revenue and can disrupt the mobile advertising ecosystem,” Ryu said. “Malicious behavior is cleverly hidden from detection.”