January 27, 2014

Android Click Fraud: Just Push Play-Malicious Apps that may gather sensitive information and gain private access to your android phone

A recent article by Italian IT company, TG Soft brought to light an Android malware that is being served by the official Google Play Store.
Fig : Phone’s main menu after installation of malware

According to Google Play statistics, the application was installed on 10,000-50,000 devices. The malware presents itself as an application called ‘Real Basketball’ in the official Google Play Store. However, it is designed to confuse the user by its appearance. It appears in the main menu as the ‘Google Play Store’application itself.
  Malware Functionality :

First, the malware registers the device’s IP by contacting the site

This value is referenced everytime the application is launched, to check whether the device is connected to the internet and if the IP address has changed. The main purpose of this is to determine whether the malicious functionality of the application should be run or not.

Next, it contacts a website that returns a list of search terms and keywords.

The malware, iterates through this list to carry out its main malicious activity described below.

1. Each search term is entered as a search entry to

2. Each search result page is opened. The malware seeks out links on these pages of a certain format and clicks on them using Javascript mouse events. This leads to the malware clicking on a lot of advertising links that might earn the attackers money from ad campaigns that Pay Per Click. This technique called Click fraud has been used by PC malware in the past as well.

What’s interesting is that all the above browser functionality is emulated using javascripts, explaining the malware’s ability to function independent of user interaction.

Once all the search words are covered, the application displays the download page for the official

Facebook application, another step towards convincing the end user of its legitimate functionality. The application is still available in the official Play Store at the time of writing this post, even a week after the company’s report on its maliciousness. The URLs contacted by the application are also currently functional.

Suggested Countermeasures :
· Javascript restrictions : Javascript served from a location other than the original page shouldn’t be allowed to run on the page. This restriction is implemented as the Same-origin policy in modern mobile browsers however, since the malware makes use of the Android Webview class to load URLs, it is able to bypass this. So, obviously, the fix would be (somehow) to implement this policy for Webview transactions as well.

· Google should verify developper creds entered such as the developper website which, in this case is that isn’t even a registered domain.

· As always, common sense is the first step to safety on the internet - the two Google Play icons in the main menu should be your first hint of an infection, the enormous delay after launching the ‘Google Play Store’ application should be the second.

Fortinet detects this malware as Android/FakePlay.B!tr See more:

No comments:

Post a Comment