Contributor: Martin Zhang
Summary: Three apps on Google Play use delayed attacks, self-naming tricks, and an attack list dictated by a command and control server to click on ads in the background without the user's knowledge.
Symantec researchers discovered three malicious applications on Google Play that collected ad revenue by clicking on ads while running in the background. The three apps utilized three separate techniques (delayed attacks, self-naming tricks, and an attack list received from a command and control server [C&C]) that are relatively common on their own, but have not been seen together. Symantec detects these threats as Android.Fakeapp. We have notified Google about these apps and they have been removed from Google Play.
The three malicious apps were available on Google Play with the following package and app names:
- com.sarabase.clearmaster.speedbooster (Clear Master Boost and Clean)
- com.desive.fastercharger.fastcharger (Fast Charge 2017)
- com.qt.fastercharger (Fast Charger X3 Free)
Google Play reported between 10,000 and 50,000 installs each of the Fast Charge 2017 and Fast Charger X3 Free apps and 5,000 to 10,000 installs of the Clear Master Boost and Clean app in North America.
Hiding with a fake name
Even on the Android platform, an app can appear to be many things to many different interfaces. These specific apps use one name on the home screen while hiding under a different process name. In one example we encountered, the app title was ‘Fast Charger’ on the home screen, while the process name according to the ‘Settings > Apps’ dialog appears as ‘android’. Once the app hides by deleting itself from the launcher, all that’s left is a process called ‘android’; an unlikely candidate for a user to force quit.
Figure 1. Hiding under the 'Faster Charger' name on the home screen and the 'android' name on the processes screen
Attacker directed malware
Like many other pieces malware, these apps get their marching orders from command and control servers on the internet. In this case, the malware receives a list of apps that could be deployed, corresponding delay times, and ad servers to connect to. The app in question will verify itself against this list and behave accordingly. With this information, the malicious apps can earn the attackers money by clicking on ads in the background without the user's knowledge. Attackers can update malware that’s not making enough money and test out new configurations using devices with the malicious apps on them.
By triggering malicious behavior on a delay, malware can trick victims into blaming subsequently installed apps for strange behavior they’re observing. This mechanism also thwarts attempts by AV programs using dynamic analysis because the delay often leads to dynamic analysis exiting before it detects the threat.
Becoming a Device Administrator
These apps may take the final step of requesting Device Administrator privileges from the user. If the user can be tricked into clicking ‘OK’, the app, already hidden from the launcher, becomes even more difficult to locate and disable.
Protect yourself with Norton Mobile Security
Norton Mobile Security uses static and dynamic analysis, machine learning, and behavioral fingerprinting to identify and protect millions of users around the world. In addition to traditional protection, the App Advisor feature will warn users of malware and greyware while shopping for apps on Google Play.
Figure 2. App Advisor's malicious app warning
Symantec recommends users follow these best practices to stay protected from mobile threats:
- Keep your software up to date
- Do not download apps from unfamiliar sites
- Only install apps from trusted sources
- Pay close attention to the permissions requested by apps
- Install a suitable mobile security app, such as Norton, to protect your device and data
- Make frequent backups of important data
Symantec and Norton products detect the threat discussed in this blog as Android.Fakeapp.