Administrators Removed 16 Apps with Clicker Malware from Google Play

by Emma Davis
October 25, 2022
16 applications with malware
Written by Emma Davis

McAfee specialists reported that 16 applications with malware were removed from the Google Play store, with a total of more than 20 million downloads. All of these applications were infected with Clicker adware and disguised as harmless utilities.

Let me remind you that we also talked about Apps that spread AlienBot and MRAT malware found on Google Play.

The researchers say that Clicker could be downloaded under the guise of a flashlight, a camera, a currency or unit of measure converter, a QR code scanner, a note-taking app, or a dictionary.

16 applications with malware

The full list of dangerous applications is the following:

  1. High-Speed Camera (com.hantor.CozyCamera) – over 10,000,000 downloads;
  2. Smart Task Manager (com.james.SmartTaskManager) – over 5,000,000 downloads;
  3. Flashlight+ (kr.caramel.flash_plus) – over 1,000,000 downloads;
  4. 달력메모장 (com.smh.memocalendar) – over 1,000,000 downloads;
  5. K-Dictionary (com.joysoft.wordBook) – over 1,000,000 downloads;
  6. BusanBus (com.kmshack.BusanBus) – over 1,000,000 downloads;
  7. Flashlight+ (com.candlencom.candleprotest) – over 500,000 downloads;
  8. Quick Note (com.movinapp.quicknote) – over 500,000 downloads;
  9. Currency Converter (com.smartwho.SmartCurrencyConverter) – over 500,000 downloads;
  10. Joycode (com.joysoft.barcode) – over 100,000 downloads;
  11. EzDica (com.joysoft.ezdica) – over 100,000 downloads;
  12. Instagram Profile Downloader (com.schedulezero.instapp) – over 100,000 downloads;
  13. Ez Notes (com.meek.tingboard) – over 100,000 downloads;
  14. 손전등 (com.candlencom.flashlite) – over 1000 downloads;
  15. 계산기 (com.doubleline.calcul) – over 100 downloads;
  16. Flashlight+ (com.dev.imagevault) – 100+ downloads.

Once installed and launched, these apps did deliver the advertised features to users, but also secretly downloaded additional ad fraud-related code.

Infected devices received messages via Google’s Firebase Cloud Messaging platform instructing them to open certain pages in the background and follow links, artificially inflating clicks on the right ads.

This could lead to heavy consumption of network traffic and energy consumption without user’s awareness, and was also profitable for the attackers behind this malware.the experts write.

All malicious applications were shipped with the com.liveposting library, which launched hidden adware malware services. Also, some applications came with an additional com.click.cas library, which focused on the functionality of automatic clicks. To hide suspicious behavior, once installed, the malicious utilities waited about an hour before running these libraries.

Currently, all listed applications have already been removed from Google Play.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

View all posts

Leave a Reply

Sending