Wednesday, March 9, 2016

Porn clicking Trojan on Google Play can consume more than 3 GB in one day


Not long after one of the largest malicious campaigns on Google Play was revealed, Trojan porn clickers were once again available to install from the Play Store. The porn clicker made again thousands of Google Play users infected around the world.
 




In two weeks another 39 infected applications were found with thousands of installs. The Trojan clickers pretended to be a copy or new versions of famous games with a high number of downloads. Most impersonated games were My Talkin Angela, My Talkin Tom, Hay Day, GTA and Subway Surfers with different postfix like V2, V3, Free or 2016. The Trojan clickers can masquerade itself even as paid games mostly with additional Free (e.g. GTA Vice City Free, GTA San Andreas Free, GTA Chinatown Free).

Porn clicker from Google Play
Figure 1 Porn clicker from Google Play

The users could be easily tempted just to try these free, otherwise paid games. This is the key strategy for the bad guys.
After start, the app icon is immediately removed from the home screen and the user can't identify the malicious fake app. The installed app has never the same name or icon as on Google Play.

Android/Clicker installed on the device
Figure 2 Android/Clicker installed on the device

After apps got pulled from Play Store, Android verification system started to detect some of these apps as potentially harmful applications. Google’s "Verify apps" setting started to warn the users not to install an app from an untrusted source, even though the app was installed from Google Store :).

Figure 2 Interesting warning


Testing mobile data consumption

I tried to find out how many of the mobile data can be spent by this Android/Clicker. I tested it on two devices. I used Samsung Galaxy S3 and Galaxy S5. I tested two different porn clickers that were available on the Google Play. Both of them were running 60 minutes while traffic was monitored.



Samsung Galaxy S3
Samsung Galaxy S5
After 5 minutes
17.73 MB
12.18 MB
After 10 minutes
26.34 MB
20.32 MB
After 15 minutes
36.07 MB
29.61 MB
After 20 minutes
44.21 MB
40.20 MB
After 25 minutes
52.84 MB
53.44 MB
After 30 minutes
60.34 MB
71.78 MB
After 35 minutes
67.89 MB
87.30 MB
After 40 minutes
76.12 MB
104 MB
After 45 minutes
85.67 MB
120 MB
After 50 minutes
96.35 MB
142 MB
After 55 minutes
105 MB
161 MB
After 60 minutes
116 MB
176 MB



Based on the experiment, the porn clicker can consume approximately 146 MB in an hour. If infiltration is not detected early enough, then it can consume more than 3.5 GB of data in one day! If the infected user is mainly using operator's mobile data plan, than this porn clicker can be very expensive application.

Example of infection

Let's look at the example of how easily user can get infected by searching his favorite game on the Play Store. 




The users continue to install these apps even though applications have bad reviews with many negative comments.

Users review
Figure 3 Users review

Details

Package Name
Hash
com.bla.mla
com.bla.mla2
com.bla.mla3
com.bla.mla4
com.bla.mla5
com.bla.mla6
com.bremre.df
com.polatli.bel
com.polatli.bel3
7BB2EC8691E73B67720AA06B4885DF546FA74FE9
com.polatli.bel4
0D101AF8F429C5C53EDE7FF6AF76392E3EA812A1
com.polatli.bel5
46FFE50B7BAEDA45963DC43A12F5E299EE2F9F5C
com.polatli.bel6
33E5960AF17E6E09FB2373772F3F91D78AC4C81A
com.polatli.bel7
FFBBDAC0D0102F319869EA7E5C9570CEE2E7BEE0
com.polatli.bel8
FBC8316C9F30FC31ECA1D6F6C710B90EC358262B
com.seyran.tep
com.seyran.tep3
com.seyran.tep4
com.seyran.tep7
025DF5B8D91B276D12F30F75A3ED2775D637DFC9
com.seyran.tep8
45AD01B71CBF77D9F76405EEFCC32ADCAC636089
com.ss.dok
com.ss.dok2
9F92244052F7BB5DD69E1EF878D7A66985081C11
com.ss.dok3
BC52A2F6EB4E35F0C2D5C0A8F5FD090A0AD3979B
com.ss.dok4
424B5667E6470A64E396AFE6E67ABF9E38DB65F0
com.ss.dok5
D4969DEC27ADBFA04CBD9E57374EA33FAD7335D0
com.ss.dok6

4 comments:

  1. Great post, looking forward to more posts from you and your website.

    ReplyDelete
  2. Amazing, more people need to read this article, thanks for the heads up mate!

    ReplyDelete
  3. You should better view this blog for even more articles on how find hidden apps on your phone.

    ReplyDelete