Google has removed 22 malware apps from its official Google Play Store after it emerged they were forcing users to click on fraudulent ads and falsely communicating to the advertisers that the clicks were coming from iPhones, not Android devices.
The malicious apps were first discovered by SophosLabs, a British security software and hardware company. Named Andr/Click-D by SophosLabs, the malicious apps were downloaded a total of 2m times from the beginning of June this year.
“Andr/Clickr-ad is a well-organised, persistent malware that has the potential to cause serious harm to end users, as well as the entire Android ecosystem,” said Chen Yu, the author of the report. “These apps generate fraudulent requests that cost ad networks significant revenue as a result of the fake clicks.”
According to the report, one of the apps, called Sparked Flashlight, reached a milestone of 1m downloads.
It’s the second time SophosLabs have noticed fraudulent ads on Google Play Store, after discovering ad fraud campaigns in 25 apps in March and April of this year.
Malware apps “generate revenue”
The adware launches a hidden browser and then switches the browser’s Android user-agent to that of an iPhone, and then mimics clicks on ads, which in turn, generates revenue for the adware operator.
These apps are also believed to contain malicious adware code that resulted in users’ batteries being drained much faster than usual.
“These apps drain their [users] phone’s battery and may cause data overages as the apps are constantly running and communicating with the server in the background,” Chen said.
She added: “The devices are fully controlled by the C2 server and can potentially install any malicious modules upon the instructions of the server.”
Sophos published a list of all the 22 apps that were infected, which were removed from the Play Store on November 25th. The company advised users to uninstall the apps and reset their phones in order to fully remove the malware from their phones.