Threat Research

Malware that Just Won’t Give Up on Google Play

Nikolaos Chrysaidos, 24 July 2015

Malware that Just Won’t Give Up on Google Play

A team of malware authors is playing a cat and mouse game with Google. The game goes like this: they upload their malware, Google Play quickly takes it down, they upload a new mutation and Google takes it down. Current status of the game: the malware is back on Google Play. So far, the malicious apps have infected hundreds of thousands of innocent victims.

In April, we discovered porn clicker malware on Google Play posing as the popular Dubsmash app.

Mutant malware

Two days ago, we reported that a mutation of the porn clicker malware, created by a Turkish group of malware authors, made its way back onto Google Play, but have since been removed from the Play Store.

Once the apps were downloaded they did not do anything significant when opened by the user, they just showed a static image. However, once the unsuspecting victim opened his/her browser or other apps, the app began to run in the background and redirect the user to porn sites. Users may not have necessarily understood where these porn redirects were coming from, since it was only possible to stop them from happening once the app was killed. Fellow security researchers at Eset reported that more apps with this mutation were on Google Play earlier this week. Eset also reported that the original form of the malware was uploaded to Google Play multiple times in May. Our findings combined with that from Eset, prove that these malware authors are extremely persistent and determined to make Google Play a permanent residency for their malware.

I’ll be back…

… is what the authors of this malware must have said when Google removed their apps from the Play Store earlier this week. And sure enough, their malware is back on Google Play. The malware, which Avast detects as Clicker-AR, is in the following three apps: Doganin Güzellikleri, Doganin Güzellikleri 2, Doganin Güzellikleri 3. The name translates to “Nature’s Beauties”. Avast has reported the apps to Google.

Mobile Malware Clicker-AR

What can you do?

Google has a lot on its plate. It has to maintain the most popular mobile operating system in the world, along with an app store with around 1.5 million apps.

That is where security providers, like Avast, jump in. You don’t expect Windows to completely protect you from malware, so just as you would install antivirus on your PC as an extra layer of protection, it is vital you install antivirus on your mobile device. More and more people are using mobile devices and storing a plethora of valuable information on them. This large target pool, combined with the valuable data, naturally makes mobile devices an attractive target for cybercriminals and they are determined to come for you.

Be vigilant

In addition to having antivirus installed on your phone, make sure you do the following:

    1. Pay attention to app permissions. If an app requests permissions that you think it does not need to function properly, then something is probably not right with the app
    2. Check out the app’s reviews. If other users write bad reviews about the app, that is a sign that the app may not be something you want to download.

You can download Avast Mobile Security for free from the Google Play Store.

Hashes:

d8adb784d08a951ebacf2491442cf90d21c20192085e44d1cd22e2b6bdd4ef5f
2a14b4d190303610879a01fb6be85d577a2404dfb22ab42ca80027f3b11f1a6f
d05dcddecc2f93a17b13aa6cca587a15c4d82fe34fdb5e3acf97ddaaefb61941

*It seems as though "Zaren" may be sensing we are all onto him and has therefore changed his developer account name...

Clicker-Ar mobile malware