McAfee specialists reported that 16 applications with malware were removed from the Google Play store, with a total of more than 20 million downloads. All of these applications were infected with Clicker adware and disguised as harmless utilities.
Let me remind you that we also talked about Apps that spread AlienBot and MRAT malware found on Google Play.The researchers say that Clicker could be downloaded under the guise of a flashlight, a camera, a currency or unit of measure converter, a QR code scanner, a note-taking app, or a dictionary.
The full list of dangerous applications is the following:
- High-Speed Camera (com.hantor.CozyCamera) – over 10,000,000 downloads;
- Smart Task Manager (com.james.SmartTaskManager) – over 5,000,000 downloads;
- Flashlight+ (kr.caramel.flash_plus) – over 1,000,000 downloads;
- 달력메모장 (com.smh.memocalendar) – over 1,000,000 downloads;
- K-Dictionary (com.joysoft.wordBook) – over 1,000,000 downloads;
- BusanBus (com.kmshack.BusanBus) – over 1,000,000 downloads;
- Flashlight+ (com.candlencom.candleprotest) – over 500,000 downloads;
- Quick Note (com.movinapp.quicknote) – over 500,000 downloads;
- Currency Converter (com.smartwho.SmartCurrencyConverter) – over 500,000 downloads;
- Joycode (com.joysoft.barcode) – over 100,000 downloads;
- EzDica (com.joysoft.ezdica) – over 100,000 downloads;
- Instagram Profile Downloader (com.schedulezero.instapp) – over 100,000 downloads;
- Ez Notes (com.meek.tingboard) – over 100,000 downloads;
- 손전등 (com.candlencom.flashlite) – over 1000 downloads;
- 계산기 (com.doubleline.calcul) – over 100 downloads;
- Flashlight+ (com.dev.imagevault) – 100+ downloads.
Once installed and launched, these apps did deliver the advertised features to users, but also secretly downloaded additional ad fraud-related code.
Infected devices received messages via Google’s Firebase Cloud Messaging platform instructing them to open certain pages in the background and follow links, artificially inflating clicks on the right ads.
All malicious applications were shipped with the com.liveposting library, which launched hidden adware malware services. Also, some applications came with an additional com.click.cas library, which focused on the functionality of automatic clicks. To hide suspicious behavior, once installed, the malicious utilities waited about an hour before running these libraries.
Currently, all listed applications have already been removed from Google Play.