Auto-Clicking Android Adware Found in 340 Apps on the Google Play Store

Auto Clicking Android Adware called “GhostClicker Found in Google Play Store from 340 Android Apps Especially Aladdin’s Adventure’s World” game which contains same auto Clicking Adware was Downloaded more than 5 Millions times.

Current scenario revealed that, Android Platform is one of the biggest Target for Cyber Criminals to Steal personal information and bank details across the globe.

The Auto Clicking adware was discovered with many embedded Android Apps that belongs to QR and bar-code scanners, multimedia recorders and players, device charger, GPS/navigation-related apps.

GhostClicker active since August 2016

GhostClicker uses two of these techniques. The first is splitting its malicious code across the Google Mobile Services (GMS) API and Facebook Ad’s software development kit (SDK). The second is the usage of an anti-sandboxing check that prevents the malware from running if the smartphone’s user-agent string contains the term “nexus,” commonly used in many Android sandboxing applications.

These two tricks have proven useful to the GhostClicker adware developer, who used them for almost a year. Security firm Trend Micro, who discovered the adware, says the adware creator has been busy uploading GhostClicker-infected apps on the Play Store since August 2016.

The adware evolved during the past year, and while initially, it required admin rights to operate, But current versions of GhostClicker does not required admin rights. The change in the adware’s modus operandi is most likely to avoid raising a target’s suspicions and remain on infected devices longer, even if the adware possesses fewer features.

How Does GhostClicker Work

MajoY Motivation of this Malicious Adware is to Generate more revenue from Ads Campaign by Generating Fake Traffic.

GhostClicker using the Technique that performs to insert the code Directly into Google-owned mobile advertising platform called Admob for getting the ad’s location.

Once gathered the information about the Device dimensions that it calculates the appropriate XY coordinates then uses the dispatch touche vent API to simulate clicking.

Inserting code to get AdMob’s Context View

It used to retrieve the Device Property by using the infected App after it launched which is used to configure the User-Agent string in Android devices.(http.agent).

Some of the GhostClicker-embedded apps requested Device Permission without Declaring the security policy such as wiping data and resetting password.

This Permission Technique leads to taking many Process to uninstall by users to removing the infected app.

It popups in other Apps which Displaying with  Download link of the Google play store and Generating more Revenue by this Malicious activities.

Also, It opens a YouTube video link in the device’s browser via communication with its command and control (C&C) server.

dispatchTouchEvent API for Auto Click

GhostClicker using the dispatchTouchEvent API to automatically click the ad and Generate the revenue.

This GhostClicker Adware Infected Many Countries including Brazil, Japan, Taiwan, Russia, Italy, and the U.S.

According to TrendMicro,this adware as GhostClicker (ANDROIDOS_GHOSTCLICKER.AXM) given its auto-click routine and the way it hides itself in Google Mobile Services (GMS), the set of Google’s most popular applications and application program interfaces (APIs).

GhostClicker Also Abuse and hide its code into Facebook Ad’s software development kit (SDK) and It embeds itself into these two services (GMS, SDK) with the name called “logs“.

Experts reported all the 340 infected apps to Google, but 101 of these were still available in the Play Store on August 7.

Credit: BleepingComputer, Trendmicro, Gbhackers

Jai Prajapati

Jai Prajapati is a security analyst and author for Securityleaks, where he passion for covering latest happening in cybersecurity world such as malware, breaches, vulnerabilities, exploits, white-papers, hacking newsbytes, Dark Web, hacking tutorials and a few more.

Leave a Reply

Your email address will not be published. Required fields are marked *