Porn Clicker Android malware hits Google Play hard

In a little over seven months, cybercriminals using click-jacking mobile malware to earn affiliate income have managed to push over 340 instances of the malware into Google Play.

The “Porn Clicker,” as ESET researchers have dubbed the threat, does not steal user information or download additional malware – it simply clicks on ads generated by the attackers’ servers and shown on pornographic websites. The user is none the wiser, as the malicious app does so covertly.

The Trojan is made to look like popular gaming or other apps – GTA, Subway Surfers, Candy Crush, wallpaper apps, etc. – but it actually does not have any legitimate functionality.

The fake apps are not difficult to identify – if one knowns what to look for.

Most often than not user reviews for those apps are mostly negative, and the reviewers warn potential future victims about the malicious or fraudulent nature of the apps. That’s likely why the crooks keep repackaging the malware, changing just a few details in the name or description, and uploading it again on Google Play.

Users who know enough to check whether the developer of an app is the legitimate one before downloading it are safe from this type of attack, but unfortunately not all are that knowledgeable.

The researchers posit that this particular threat continues to go unnoticed because porn clickers have implemented an antivirus check. After getting installed, and before running, the malware checks for the presence of a considerably long list of popular mobile security apps. If it finds one, the malicious functionality will not be triggered.

“Based on data found on the attackers’ servers, which generates the ads, there were clearly many more trojan clickers,” the researchers note. “It’s hard to determine whether all of those apps were on the Play Store – perhaps they were only hosted on third-party stores. We found references to 187 applications aside from those apps already discovered on the Play Store.”