Google Removes Adware Apps, But 20 Million Downloads Sneak Through

Google has booted 16 malicious “clicker” apps discovered by researchers at McAfee off the Play Store, but not before they were downloaded around 20 million times (via BleepingComputer).

The apps had gone undetected until the folks over at McAfee exposed them in a recent report. Clicker apps are a nasty kind of adware that loads ads in invisible frames or in the background and automatically clicks them, generating revenue for their operators with victims none the wiser.

The worst offender was an app called DxClean, which racked up over five million downloads before it was removed. DxClean pretended to be a system cleaner and optimization tool for Android devices — ironic, considering such apps can use device resources (and data) and actually cause a drop in performance, overheating, and increased battery usage.

When a user launches a clicker app for the first time, they phone home, download their configuration from a remote location via an HTTP request, and register an FCM (Firebase Cloud Messaging) listener to receive push messages.

These messages contain instructions for the apps, such as which functions to call and what parameters to use. “When an FCM message receives and meets some condition, the latent function starts working,” McAfee explained in its report.

The motive of most of these apps is to simply generate ad revenue. As such, they are programmed to covertly browse websites in the background pretending to be an organic visitor. “Mainly, it is visiting websites which are delivered by FCM message and browsing them successively in the background while mimicking user’s behaviour,” the researchers added.

These apps even delay initiating their malicious activities to an hour after installation so as to throw off suspicion. Clicker apps don’t require the victim to ever interact with them or any ads, so users are unlikely to realize what’s happening unless they closely monitor their phone’s activity and resource usage when it is idle.

Last month, security researchers from HUMAN’s Satori Threat Intelligence team identified 75 similar apps on Google’s Play Store and 10 apps on Apple’s App Store that were downloaded over 13 million times and engaged in ad fraud.

Looks like the new “Data Safety” section Google added for apps on the Play Store earlier this year needs a “clicks on ads when you’re not looking” label.