Posted on October 23, 2022 at 6:49 PM
A recent report reveals that sixteen Android apps downloaded more than 20 million times are infected with the new Clicker malware. According to the report, the malware is being used for mobile ad fraud, as it is used to impersonate QR code converters, currency/unit converters, note-taking, and dictionary apps.
Once the malicious app is installed and executed, it leads to the simulation of ad clicks by the malware without the victim’s knowledge. Additionally, Clicker malware starts its activities one hour after it has been downloaded to conceal its real intentions and stay under the radar.
Cybersecurity researcher at McAfree, SangRyol Ryu, commented on the discovery.”Clicker malware targets illicit advertising revenue and can disrupt the mobile advertising ecosystem”, he said, adding that the activities of the malware are completely under the radar.
Clicker apps are a special type of adware that loads ads in backgrounds or invisible frames and clicks them to generate revenue for their operators. The impact on the device may include increased battery usage, overheating, a reduction in performance, as well as inflated mobile data charges.
DxClean Has Been Downloaded Over 5 Million Times
The leader of the bunch is DxClean, which has been installed more than 5 million times before it was discovered and removed. Surprisingly, the app had a positive user rating of 4.1 out of 5 stars.
DxClean serves as a system cleaner and optimizer. According to its service description, it discovers the causes of system shutdowns and stops advertisement annoyances. However, in the real sense, it does the exact opposite of its supposed function in the background.
The Malware Mimics Users’ Behavior
After the launch, the apps download their configuration through a remote location at the HTTP request. It then registers a Firebase Cloud Message (FCM) listener to receive the push messages. These contain instructions for the clickers, including the parameters to use and the functions to call.
When certain conditions are met with an FCM message, the Clickers apps start working on the installed device. It performs a lot of functions, including visiting sites and browsing them in the background while mimicking the users’ behavior. ‘com.liveposting’ manages the hidden adware while the ‘click.cas’ component handles the auto-clicking function.