Recently the Mobile Malware Research Team of Intel Security found on Google Play a new campaign of Android/Clicker.G in dozens of published malicious apps. This threat targets Russians but the apps are accessible worldwide.
The attackers lure their victims with apps associated with health care, sports, food, games, and many other topics. Some of the apps have good reviews; they range from low installations to some with between 1,000 and 5,000 victims.
One application loads a web view with content from different sources that could offer some value to the victim, gaining some credibility with users.
To appear legitimate, this threat does not immediately execute the malicious payload. Six hours after the first execution or boot (BOOT_COMPLETED) the nightmare starts. Once the process begins, the victim will see unwanted advertisements or fake system updates from hxxp://update-sys-android.com every two minutes. These alerts can redirect the victim to download other threats that can compromise the victim’s device and data.
Unlike most sophisticated malicious apps, this one does not hide its behavior; the payload is not encrypted or obfuscated:
McAfee Mobile Security detects this Trojan as Android/Clicker.G!Gen. We have already reported hashes, developer names, and accounts to Google Play. We have also found this malware in third-party markets and have notified them. However, the threat remains active and may be distributed in other markets or by other methods, so we recommend you keep a security solution on your smart phone to avoid infection.
We would like to thank Android Security for promptly responding to our takedown request yesterday.
For more information about McAfee Mobile Security, visit http://www.mcafeemobilesecurity.com.
SHA-256 hash of analyzed sample: