These malicious apps are integrated in a large number of legitimate mobile advertising platforms such as Google AdMob and Facebook Audience Network, among many others.įigure 8.
CLOUD CLEANAPP ANDROID
Like ANDROIDOS_TOASTAMIGO, one of the Android malware families we detected in 2017, the malicious Speed Clean app can download malware variants or payloads that can perform different ad fraud techniques.
CLOUD CLEANAPP APK
Screenshot of the malicious trojan APK under “Downloaded Apps” Instead, it added an app called “,” found under “Downloaded Apps.”įigure 7. Screenshot of malicious app traffic content, such as Android application packages “alps-14065.apk” and “_1.0.3.apk” (detected by Trend Micro as AndroidOS_BoostClicker.HRX), which were pushed to the affected device from ad configuration serversĮven after installing “alps-14065.apk,” no app icon was displayed on the launcher or on the device’s application list.
CLOUD CLEANAPP CODE
Screenshot of code showing the malicious service “”įigure 6. For example, the malicious ad content and trojan will be shown under the app’s “Recommend Pages” section.įigure 5.
CLOUD CLEANAPP REGISTRATION
Once registration is done, Speed Clean will start to push malicious ad content to users.
Screenshots of code that enables the malicious app to launch a transparent activity background on the affected deviceĪfter which, a malicious service called “” under the Java package “com.adsmoving” will establish a connection with remote ad configuration servers and register the new malicious installation. The Speed Clean app is also capable of launching a transparent activity background to hide malicious content from the user.įigure 4. However, we also observed malicious behavior surreptitiously happening in the affected device. Screenshot of ads shown on the Speed Clean app
When used, ads will pop up on the app, which is seemingly innocuous behavior for a mobile app.įigure 3. One of the apps associated with this campaign, Speed Clean, provides so-called features that can help boost the performance of mobile devices. Note: The nodes highlighted in red represent nodes detected by multiple vendors. A graphic representation of the relationships between the malicious ad configuration servers based on data obtained from VirusTotal Screenshots of the malicious apps previously found on Google Playįigure 2. The cybercriminals behind this campaign can use the affected device to post fake positive reviews in favor of the malicious apps, as well as perform multiple ad fraud techniques by clicking on the ads that pop up.įigure 1.
As of writing time, Google Play has already removed the malicious apps from the Play Store.īased on our analysis, the 3,000 malware variants or malicious payloads (detected by Trend Micro as AndroidOS_BoostClicker.HRX) that can be possibly downloaded to an affected device with this campaign pretend to be system applications that do not show app icons on the device launcher or application list. Our telemetry shows that this campaign has been active since 2017. These malicious apps, which are supposed to increase device performance by cleaning, organizing, and deleting files, have been collectively downloaded over 470,000 times. We recently discovered several malicious optimizer, booster, and utility apps (detected by Trend Micro as AndroidOS_BadBooster.HRX) on Google Play that are capable of accessing remote ad configuration servers that can be used for malicious purposes, perform mobile ad fraud, and download as many as 3,000 malware variants or malicious payloads on affected devices.
0 kommentar(er)
