A new family of adware has sneaked into the official Google Play Store on various occasions.
Most recently, it came to be known that the malware, dubbed GhostClicker, is hidden in 340 mundane Android programs.
Currently, there are many cases of Android adware penetrating the Google Play Store.
In fact, it is becoming increasingly difficult to track all the adware families.
Previous cases include Skinner and Viking Horde, among others.
These shows weaknesses and trends in the security checks of Google Play Store developed by malware to exploit and push adware to thousands of unsuspecting users.
The secret to getting malware past Google is to split malicious malware across several components. The aim is to delay execution and use the anti-sandboxing checks.
This prevents execution in obvious testing environments.
History of GhostClicker
GhostClicker has been active since 2016.
It is efficient, functioning by splitting the malicious code across the Facebook AD software development kit and Google Mobile Services.
It also uses the anti-sandboxing check to prevent the malware from running even if your smartphone user agent string has “nexus,” which is common in most Android sandboxing applications.
The two tricks are useful to the GhostClicker adware developer.
The tricks have been in use for about a year, with the adware creator uploading GhostCliker infected apps on Google Play Store.
The adware has evolved a lot in the past one year. Initially, the developer just needed to have administrator rights to operate.
However, expert research has revealed that the current version of GhostClicker does not need administrator rights.
The change is with the Modus operandi to avoid raising suspicions.
It can remain on the infected device for long, even when the adware has fewer features without arousing suspicion.
GhostCliker Uses Taps and Pop-Ups
GhostClicker relies on taps on ads to generate profit.
It only taps on ads that are served through the Google AdMob platform.
Other Android apps and adware like Mapin and Skyfin used the AdMob platform to boost profits.
GhostClicker participates in redirecting traffic to affiliate schemes by showing ads and pop-ups over other apps. This is the secondary earning method.
It directs users to various pages like Google Play Store and YouTube links of other apps, among others.
It is possible to see that GhostClicker was primarily developed to earn money and does not in any way steal personal user data.
Known Infected Android Apps
About 101 of 340 infected Android apps are still available on the Google Play Store.
You can find GhostClicker in file manager apps, app cleaners, multimedia players, barcode scanners, GPS navigation apps, multimedia recorders, battery chargers and memory boosters.
Most of the victims are from countries in Southeast Asia. The infected apps with GhostClicker were apparently downloaded by at least five million users.
Experts have reported all the 340 GhostClicker infected apps to Google. However, 101 apps were still on Google Play Store as of writing.
The practice of abusing Android framework and plugins is becoming a new trend in the adware market. It is common for legitimate mobile apps to promote other apps or embed advertising SDKs.
This indicates that the app is promoting other apps as a way of generating more revenue for many mobile app developers.
There is an alarming trend in mobile ad communities where adware programs have become more aggressive and abuse the third-party Android plugin framework.
Most applications assume that they will be running in their application sandbox always. Now they’re at risk because they are unable to determine whether or not their apps are launched in a plugin environment.
Android owners should be cautious of the kind of apps they download from Google Play Store.
Most of the apps continuously display pop-ups, and according to Google statistics, they have been downloaded by millions.
How Does GhostClicker Work?
The goal of the adware is to increase its revenue from ad campaigns that are generated using fake traffic.
GhostClicker uses a special technique that inserts its code directly into the Google AdMob advertising platform, which enables the program to get the ad’s location.
Once GhostClicker has the information it needs from the Android app, it calculates the appropriate XY coordinates which it uses to dispatch touch interactions to simulate clicking.
It retrieves the Android device property, using the infected Android app, and uses it to configure the user agent string.
Most of the GhostClicker-containing apps request permission without necessarily declaring their security policy, such as resetting the password and wiping data.