McAfee cyber experts have reported 16 apps that engage in pay-per-click fraud without the knowledge of their users. This clicker malware was most often hidden behind a legitimate application such as flashlight, calendar or currency converter.
McAfee analysts have detected several Android apps that engage in ad fraud, or Pay Per Click Fraud. The cybersecurity company has obviously denounced these malware to Google, which in its effort to ban false and ad-riddled applications, hastened to remove them from the Store. However, they had time to do damage, since according to the software publisher, no less than twenty million users have already downloaded one of these sixteen malicious applications.
These apps are mostly utilities such as a flashlight, a measurement conversion tool or a QR code reader. Once installed, these download malicious code and then open a website in the background with advertisements. The malware visits these pages and behaves there like an average Internet user: it clicks on the links displayed and earn money for the cybercriminals who own this fake affiliate site.
Read also: QR Codes – be careful, hackers use them to empty your bank account
These Android apps install a clicker that opened hidden internet pages
Ad fraud is estimated to be the biggest cybercrime in terms of revenue. In 2022, the amount of losses attributable to it amounts to $68 billion, or nearly 20% of marketing spending. According to McAfee, the technique used by the hackers uses a Google service, the Firebase Cloud Messenging, which is used not only to create messaging, but also to send notifications to devices. Through the FCM, the hackers have found a way to send “hidden” messages that execute commands on the victim’s laptop: in this case open a hidden web page and launch a Clicker.
Of course, the goal for cybercriminals is to get as many pages visited as possible without being detected. Users who have installed one of these scam apps, but have remained attentive, will probably have noticed that their smartphone battery drains faster than usual and their network connection seems slower. Applications harboring this ad fraud vector malware are:
- James’ SmartTaskManager
- Flash More Caramel
- Memocalendar of Smh
- Joysoft WordBook
- BusanBus from kmshack
- Candleprotest by candlencom
- Movinapp Quicknote
- Smartwho’s SmartCurrencyConverter
- Joysoft Barcode
- Ezdica from Joysoft
- Schedulezero Instapp
- Meek’s Tingboard
- Candlencom’s Flashlite
- Calculation of Doubleline
- Imagevault.
Google not only asserts that all these apps have been removed from the play storebut also that Android smartphone users are protected by Google Protect.