Android Click Fraud: Just Push Play

Malicious apps that may disrupt, gather sensitive information and gain private access to your android phone

A recent article by Italian IT company, TG Soft brought to light an Android malware that is being served by the official Google Play Store. According to Google Play statistics, the application was installed on 10,000-50,000 devices. More details after the jump.

The malware presents itself as an application called ‘Real Basketball’ in the official Google Play Store. However, it is designed to confuse the user by its appearance. It appears in the main menu as the ‘Google Play Store’application itself.

One of the Play Store icons in the image corresponds to the malicious application and can easily be mistaken by an unsuspecting user for the real deal. When the application is launched, the user sees a blank screen as seen below.

The application’s main screen

However, in the background, the application is silently at work and using up a lot of the phone’s data connectivity. It appears to be written by a Turkish developer from the function names and strings used in the code, however the application’s description is in Italian and a lot of the targeted websites are Italian as well.

Malware Functionality :
First, the malware registers the device’s IP by contacting the site http://www.mobilefilmizle.com/ipzaman.php. This value is referenced everytime the application is launched, to check whether the device is connected to the internet and if the IP address has changed. The main purpose of this is to determine whether the malicious functionality of the application should be run or not.

Next, it contacts a website that returns a list of search terms and keywords. The malware, iterates through this list to carry out its main malicious activity described below.

1. Each search term is entered as a search entry to google.it
2. Each search result page is opened. The malware seeks out links on these pages of a certain format and clicks on them using Javascript mouse events. This leads to the malware clicking on a lot of advertising links that might earn the attackers money from ad campaigns that Pay Per Click. This technique called Click fraud has been used by PC malware in the past as well.

What’s interesting is that all the above browser functionality is emulated using javascripts, explaining the malware’s ability to function independent of user interaction.

Javascript click functionality

Once all the search words are covered, the application displays the download page for the official Facebook application, another step towards convincing the end user of its legitimate functionality. The application is still available in the official Play Store at the time of writing this post, even a week after the company’s report on its maliciousness. The URLs contacted by the application are also currently functional.

Suggested Countermeasures :

• Javascript restrictions: Javascript served from a location other than the original page shouldn’t be allowed to run on the page. This restriction is implemented as the Same-origin policy in modern mobile browsers however, since the malware makes use of the Android Webview class to load URLs, it is able to bypass this. So, obviously, the fix would be (somehow) to implement this policy for Webview transactions as well.
• Google should verify developper creds entered such as the developper website which, in this case is http://www.olmayanadam.com that isn’t even a registered domain.
• As always, common sense is the first step to safety on the internet - the two Google Play icons in the main menu should be your first hint of an infection, the enormous delay after launching the ‘Google Play Store’ application should be the second.

Fortinet detects this malware as Android/FakePlay.B!tr.

Source: Fortinet Philippines

Back to top