Doctor Web experts found malicious applications on Google Play that hid an android clicker that automatically subscribed users to paid services.
Researchers have identified several modifications of this malware that received the identifiers Android.Click.322.origin, Android.Click.323.origin and Android.Click.324.origin.“To hide the true purpose of the applications, as well as reduce the likelihood of detecting malvari, the attackers used several tricks“, – say security experts.
Firstly, the clicker was built into harmless applications – cameras and image collections – which really worked and performed the declared functions.
Secondly, all malicious applications were protected by the commercial Jiagu packer, which complicates the detection of problems by antiviruses and complicates code analysis. Thus, the malware increased the chances of avoiding detection by the built-in protection of the Google Play directory.
Thirdly, the authors of malware tried to mask the Trojan as well-known advertising and analytical libraries: after adding it to the host programs, it was embedded in the Facebook and Adjust SDKs present in them, hiding among their components.
Read also: Simjacker attack threatens users from 29 countries
In addition, the clicker attacked users selectively: he did not perform any malicious actions if the potential victim was not a resident of one of the countries of interest to attackers.
After installation and launch, the clicker tried to access the notifications of the operating system, showing the following request.
If the user agreed to provide the necessary permissions, the trojan was able to hide all notifications about incoming SMS and intercept the text of messages. Next, the clicker transmitted to the control server the technical data about the infected device and checked the serial number of the victim’s SIM card. If it corresponds to one of the target countries, the malware sent information about the phone number attached to it to the server.
“At the same time, for users from certain countries, the clicker showed a phishing window asking him to enter a phone number or log in to his Google account”, – said security experts.
If the victim’s SIM card didn’t belong to countries of interest to the attackers, the trojan took no action and stopped the malicious activity. The studied modifications of the malware attacked the residents of the following countries:
- Austria
- Italy
- France
- Thailand
- Malaysia
- Germany
- Qatar
- Poland
- Greece
- Ireland
After transmitting information about the user’s phone number, the trojan expects commands from the management server. He sends to the malware tasks that contain the addresses of sites for download and code in JavaScript format. This code is used to control the clicker through the JavascriptInterface interface, display pop-up messages on the device, performing clicks on web pages and other actions.
Upon receiving the site address, the trojan opens it in an invisible WebView, where the previously accepted JavaScript with parameters for clicks is also loaded. After opening a site with a premium service, the Trojan automatically clicks on the necessary links and buttons. Then he receives verification codes from SMS and independently confirms the subscription.
“Despite the fact that the clicker does not have the function of working with SMS and access to messages, he bypasses this limitation. Therefore, the Trojan service monitors notifications from the application, which by default is assigned to work with SMS messages”, – researchers also report.
When a message arrives, the service hides the corresponding system notification. Then he extracts from him information about the received SMS and transmits it to the Trojan broadcast receiver. As a result, the user does not see any notifications about incoming SMS and does not know what is happening. He learns about subscribing to the service only when money starts to disappear from his account, or when he goes to the message menu and sees SMS related to the premium service.