Researchers found a clicker Trojan bundled with over 33 apps distributed through the Google Play Store and downloaded by Android users over 100 million times.

The malware was designed as a malicious module added to seemingly harmless applications such as audio players, barcode scanners, dictionaries, and a host of other various types of ordinary software most people would install on their Android devices.

These apps were fully functional as Doctor Web researchers found and didn't show any warning signs within their interface, while also not exhibiting any of the weird behavior most malicious applications display like hiding their icon after installation or requesting way too many permissions compared to the tasks they were designed to perform.

Clicker Trojans are a type of malware designed to stay active in the memory of infected devices and perform various ad fraud-related tasks in the background such as opening web pages without the victim's knowledge.

Subscribes victims to premium services

The clicker Trojan dubbed by the researchers Android.Click.312.origin would only activate 8 hours after the apps that contained were launched to evade detection.

Subsequently, another variant was also found while analyzing this malicious campaign, which got named Android.Click.313.origin.

After launching on one of the compromised Android devices, the malware would immediately start collecting system information such as:

• the OS version,

• the device's manufacturer and model,

• the user's country of residence,

• the internet connection type,

• the user's time zone,

• and info on the app with the clicker Trojan module

All this information and more is packed and sent to the malware's command and control (C2) server which, in turn, will transmit back commands and new modules to be used, for instance, "to register a broadcast receiver and a content observer, which Android.Click.312.origin uses to monitor the installation and updates of applications."

Once the user installs a new app on the infected device via the Play Store or from an APK installer, the Trojan will send info and technical data on the device and the newly installed app to its C2 server which sends back URLs to open in a browser, an invisible WebView, or in the Play Store.

"Thus, depending on the settings of the command and control server and the instructions it sends, the trojan can not only advertise applications on Google Play, but also covertly load any websites, including advertisements (even videos) or other dubious content," the researchers found.

As an example, some users reported on Google's Play Store that they were "automatically subscribed to expensive content provider services" after installing applications containing the Android.Click.312.origin clicker Trojan.

Doctor Web's researchers found the clicker Trojan within the apps listed in the table below, which they reported to Google. The company removed several of the reported apps, while a number of them got updated and had the malicious module removed.

Package name SHA1 Minimum downloads com.a13.gpslock c0ddd6a164905ef6f65ec06ff088a991c01687e9 com.a13softdev.qrcodereader ea3e521d80730097f2c48dd9f0432749a07b9562 1000000 com.aitype.android 66c75e23ab7169475043cdc120206c06b261349d 10000000 com.crics.cricketmazza 1915eb46bd9ee2fe6748deaa0750cee83f72f8e0 1000000 com.dictionary.englishurdu 6c1347786aef5beb0060229c043e5c2ab24f1210 5000000 com.finance.loan.emicalculator b8370356b55b13824eac3f8c0129bc2a00ddaf93 1000000 com.fitness.stepcounter.pedometer 100b7a782cf12c0d08b94b3a8425c972f44f2ddc 100000 com.galaxyapps.routefinder 4328b4c99dac008e6c509ac1521014faa0dadcc3 5000000 com.guruinfomedia.ebook.pdfviewer 0a17c18c49c97cdf558a986037b0e4b0c8592442 100000 com.guruinfomedia.gps.speedometer 7964ec42624b91280a044024906ce71ec46cc6ea 1000000 com.guruinfomedia.gps.speedometerpro eca09c6331129c86e95a64a2f89dce8ad23cfea0 50000 com.guruinfomedia.notepad.texteditor 88d1c4d118decd4360e6a8abc186965ccc05fe23 1000000 com.guruinfomedia.notepad.texteditor.pro c5caf490f8627f510553b9336d62fd28382d22d5 100000 com.impactobtl.friendstrackerfree 0c7dbdb521efd7354d515e2b24c8f2c61432c4bc 1000000 com.impactobtl.whodeletedme 8b901532f3247bdafe84e2d315d900bfe3a91bd6 500000 com.mapsnavigation.gpsroutefinder.locationtrackers fbe2ac65d1a9c2894821faaff000ea7ac1147cee 1000000 com.qibla.compass.prayertimes 034ba8339be985c137108f4064bff4e156817c51 100000 com.qiblafinder.prayertime.hijricalendar ef8a44cabd1ed8ef37c303c8fc16effb6c28fa5c 1000000 com.quranmp3.readquran 9b4a330a6ebe026db5fd13483c1a0a9de4571c89 1000000 com.quranmp3ramadan.readquran a870ba7293fc5475b499466a90d9a38a539a645c 500000 com.ramdantimes.prayertimes.allah b13b296d20f360f8413b49459dc7397799e38763 1000000 com.ramdantimes.qibla.prayertimes e74dec8b5ff7d0fa77f21f21fdb49f0e0f3722c7 500000 com.sdeteam.gsa 4e8112e4e3039e4a8d2479e3acae858deae0c3a1 1000000 com.shikh.gurbaniradio.livekirtan 1c69c6cc2714496fb50818b1c46be0ca72086fad 100000 com.studyapps.mathen 9498a03c48b4802d1e529e42d5dc72a7e2da1593 500000 com.studyapps.obshestvo 4f2dfe1410b7de8f9301d5c54becfa87d7cdd276 100000 com.tosi.bombujmanual 8161f174eb43ee98838410e08757dd6dc348b53f 500000 com.videocutter.mp3converter f9a7b22c2a8c07cf1e878dc625ea60e634486333 1000000 com.vpn.powervpn a7dded17f59ad889d949232ee8b5c43d667ca351 1000000 liveearthcam.livewebcams.livestreetview 581f505f4a83ad2ff1823dd3477c000788a77829 500000 qrcode.scanner.qrmaker a53bcd4a4313dee7d6fd226867a005b8549c0227 5000000 remove.unwanted.object 22f2690b89e8c1ea0172ced211d3d57f07118bcb 10000000 com.ixigo.train.ixitrain 700819680439ce23945f25a20f1be97a1ff7d074 50000000

The researchers provide detailed information on what information the clicker Trojan sends to its C2 servers, as well as the commands and settings it receives from its operators.

Additionally, Doctor Web's research team also advises developers to "responsibly choose modules to monetize their applications and not integrate dubious SDKs into their software."