We detected 15 wallpaper apps in Google Play Store committing click ad fraud. The said apps were collectively downloaded from Play Store more than 222,200 times at the time of writing, and our telemetry showed Italy, Taiwan, the United States, Germany and Indonesia with the most infections recorded. Google has confirmed removal of all the identified apps.
Figure 1. The apps were briefly available for download in Google Play Store.
The apps were designed with enticing icons that promise beautiful mobile wallpapers. The apps themselves also have high user reviews and good comments, but we highly suspect that these reviews are fake and meant to project credibility to users.
Figure 2. Wild Cats HD Wallpaper app has been downloaded more than 10,000 times. Review of the app was rated 4.8 on Google Play Store.
Once downloaded, the apps decode the command and control (C&C) server address for the configuration.
Figure 3. C&C server address decoded and run.
The entire process is muted to hide the activity from the user. An HTTP GET request is communicated to the C&C for a JSON-formatted list once the app is launched.
Figure 4. The entire process is muted.
Figure 5. C&C server response.
When the feed runs, each initialized feed and object includes a fallback_URL, type, UA, URL, referer, x_requested_with, and keywords.
Figure 6. Initialized feed list.
The apps then get the advertising ID from Google Play Services, and replace some parameters in the URL, ANDROID_ID with the advertising ID, replace BUNDLE_ID with the fraudulent app’s package name, replace IP with the infected device’s current IP, and more. After replacement, the URL is loaded according to the type.
Figure 7. Constructing a fraudulent fallback_URL.
While loading the URL, the browser background will be set to transparent.
Figure 8. Background set to transparent.
After the URL loads, the apps begin to simulate clicks on the ad page.
Figure 9. Simulating fake ad clicks.
The cybercriminals profit through the parameters’ value replacement. IDs provided by Google for Android developers such as the advertising ID, advertiser ID and device ID are anonymous identifiers specific to users to monetize their apps. The app replaces ANDROID_ID, BUNDLE_ID, IP, USER_AGENT with the ad ID, the app’s package name, current IP, and the user agent of the current browser. These are all in the fallback_URL from the configuration file, creating a fraudulent fallback_URL for fake clicks. For example, the original would be:
This will be replaced with:
http[:]//pub.mobday.com/api/ads_api.php?ver=1.2&pubid=1022&adspace=1007&advid=260903559217b3a8&bundle=com.amz.wildcats&ip= 18.104.22.168&ua=Mozilla/5.0 (Linux; Android 6.0.1; MuMu Build/V417IR; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.100 Mobile Safari/537.36&cb=5c1236f316e45
Trend Micro Solutions
Users have to be vigilant and be cautious of the apps they download, as cybercriminals will continue manipulating app features to profit, steal information and attack. Mobile devices have to be protected with a comprehensive security structure and program against mobile malware.
Trend Micro Mobile Security detects this threat, and Trend Micro Mobile Security Personal Edition defends devices from all related threats. Trend Micro™ Mobile Security for Android™ (also available on Google Play) blocks malicious apps , and end users can also benefit from its multilayered security capabilities that secure the device’s data and privacy, and safeguard them from ransomware, fraudulent websites, and identity theft.
For organizations, Trend Micro™ Mobile Security for Enterprise provides device, compliance and application management, data protection, and configuration provisioning, as well as protects devices from attacks that leverage vulnerabilities, preventing unauthorized access to apps, as well as detecting and blocking malware and fraudulent websites. Trend Micro’s Mobile App Reputation Service (MARS) covers Android and iOS threats using leading sandbox and machine learning technologies to protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerability.
Indicators of Compromise
Installs (as of 12/14/2018)