Google removes malicious 16 apps with more than 20 million downloads

[German]Google has once again had to remove 16 Android apps from a Google Play Store. The reason: The apps contain a "clicker malware" that is designed to commit advertising fraud. Apparently useful apps (flashlight, QR code, photos/camera) that had been downloaded by more than 20 million users were affected.


Cybercriminals are constantly looking for business models to gain money. One scam is to post apps with malicious code to the Google Play Store and then pursue fraudulent approaches. This includes so-called click fraud, in which apps reload ads, possibly invisibly, so that the app developers collect the advertising fee from the advertising networks. The advertisers are harmed in that the ads are never seen. Users who have such apps on their (Android) devices run into the problem that the battery may be drained faster and data transfer jumps. 

New clicker malware found

While analyzing Android apps on Google, the McAfee Mobile Research team has come across a new clicker malware. The code of this malware was found in (ostensibly) useful utilities such as Torch, QR Reader, Camara, Unit Converter and Task Manager.

Malicious Android Apps
Malicious Android apps; Source: McAfee

Users who installed these apps got a malware on their device, which could get new features via remote configuration. First, a Firebase cloud messaging listener (FCM) was downloaded to receive push messages. While users were using its functions on the app they were using, the malware was executing ad fraud functions in the background.

16 apps removed from Play Store

After McAfee identified the malicious apps, the team reported the finding to Google. All the identified apps were immediately removed by Google from the Google Play Store. Users using Google Play Protect on their Android devices are also protected from the Google Play Store apps in question, as this feature blocks the malicious apps from running in Android. McAfee Mobile Security products detect this threat as Android/Clicker, protecting users from this malware. In total, we are talking about 16 Android apps from the Google Play Store, which probably reached more than 20 million installations.


McAfee threadreport about Android Clicker Fraud Apps

McAfee disclosed the whole thing in the blog post New Malicious Clicker found in apps installed by 20M+ users (see also this tweet and the media reports 1, 2 based on the Mc Afee). More details of the malicious apps are described in the McAfee post, and there is also a list at the end of the article with the names of the affected apps and the URLs that were communicated with.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Android, Security and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *