Fraudulent apps rely on a backdoor opened to receive instructions from a command and control server, opening users to greater potential harm.
Just short of two dozen apps containing automated click fraud scripts were discovered by researchers at Sophos, leading to their removal from the Google Play Store last month. The click fraud scripts employed by these apps were designed to conceal the fraudulent clicks-and the advertisements being clicked on-from the users, as well as conceal the identity of the requesting app and the OS of the device itself.
Sophos researchers posit that these Android apps were disguising requests as originating from iOS to gain higher per-click rates. Advertisers are willing to pay a premium to reach users of Apple devices, under the pretext that Apple users have more expendable funds than Android users. According to Sophos, the apps had been downloaded more than 2 million times. Though they were removed from the Play Store, already downloaded apps have not been removed from phones and tablets.
The click fraud script in these apps receives instructions from a command and control server, which transmits instructions to the app over an unencrypted HTTP connection every 10 minutes. From these instructions, it generates requests to ad networks with a false user-agent string, and subsequently opens, clicks, and closes these apps in a zero-pixel window. The false user-agent string is intended to randomize the requests to avoid garnering suspicion of fraud.
According to Sophos, the forged data claims to originate from « Apple models ranging from the iPhone 5 to 8 Plus, as well as from 249 different forged Android models from 33 distinct brands, purportedly running Android OS versions ranging from 4.4.2 to 7.x. This variety covers most of the popular mobile devices on the market. »
As a result of this design, the fraudulent behavior is essentially transparent to the device owner, though users would see higher than average data use and reduced battery life due to the increased network activity. Even when one of the apps is force-closed, the app is restarted using scheduled tasks, and starts itself at boot time.
Though the unencrypted HTTP connection was not observed to deliver other malware payloads, it can be used for that purpose, and the command and control server used is still active despite the removal of these apps from the Google Play Store.
The full list of affected apps is available at Sophos.
The big takeaways for tech leaders:
- 22 Android apps on the Google Play Store had click fraud scripts, which load and click on hidden advertisements. -Sophos, 2018
- The apps were removed from the Google Play Store, but devices with the affected apps are still vulnerable. -Sophos, 2018