ad_clicker
  • Researchers discover yet another clicker campaign, and this time it was a pretty large one.
  • The campaign has targeted three individual ad agencies through malware pushed by six applications.
  • At the time of the finding, there were a total of 90 million installations of the clicker malware.

Checkpoint’s researchers have uncovered a fraudulent operation that deployed an ad-clicking malware which imitated user clicks to make money out of three ad agencies, namely Presage, Admob, and Mopub. The malware was pushed through six applications which were collectively downloaded for over 90 million times, so we’re talking about a large-scale operation that generated considerable revenues for the fraudsters, all on the back of the users and out of the pockets of the aforementioned ad agencies. The six fraudulent package names are:

  • com.pic.mycamera – 57 million installations
  • com.omni.cleaner – 48 million installations
  • com.speedbooster.optimizer – 24 million installations
  • com.rambooster.totalcleaner – 15 million installations
  • com.cooler.smartcooler – 12 million installations
  • com.flashlight.torch.screenlight.party – 3.4 million installations
preamo-malware-1a
image source: Play Store

If you have any of the above applications installed on your phone, remove them immediately as you are taking part in the PreAMo clicker campaign. Google has already removed these apps from the Play Store, so they are not available for new installations anymore.

According to Checkpoint, the code in the malware features three distinctive parts that are devoted to each of the ad agencies, with their point of convergence being their communication with the same malicious C&C server, “res.mnexuscdn.com”. This server is responsible for collecting statistics from the apps, as well as for sending configuration instructions. The fake clicks on all three cases are carried out by utilizing the ‘MotionEvent’ framework functionality, after having loaded the banner through the ad network.

To fool the network and avoid detection of the fraudulent activities, the malware is setting a random value for the clicking intervals and respects a designated upper clicks number limit that is set by the C&C server. In all three code parts, the authors mixed their code with the ad-serving library’s original code, setting up the clicking events, the timer configurations, the delay intervals, the randomly generated coordinates, and anything else required to make the fake clicks believable.

click_immitation
image source: research.checkpoint.com

If you want to stay away from fraudulent ad-clicker campaigns, only trust the official market which in the case of Android is the Google Play. As these apps were in the official store, remember that the second step should be the checking of the app’s rating, and the selective reading of negative comments so as to get an idea of what may be going on. Finally, using an AV solution from a reputable vendor is a solid method that helps you stay protected.

Have you had an adverse user experience with “cleaner” and “ram boosting” applications on Android? Share your experience in the comments section below, and help us spread the word by sharing this post through our socials, on Facebook and Twitter.