Android is so huge today that even if Google claims to be able to keep 99% of the malware-riddled content away, what little amount of apps that do get through can compromise millions of users and devices.
Most recently, Google has removed 22 apps from the Play Store for abusing the Android environment to click on ads repeatedly, the user being none the wiser.
Now, this is the most common type of malware found in Android security reports. After all, it generates revenue for its creators directly, profiting from loading ads and/or clicking on them automatically.
But this particular adware has a behaviour that is slightly strange. It deceives networks into thinking its carrier device is an iPhone. More specifically, it opens a hidden browser tab and changes the UserString to iPhone, then proceeding to click on ads.
This happens because networks value iOS clicks more than their Android counterparts. In fact, iPhone users spend, on average, three times more than Android users while browsing e-commerce sites.
That aside, according to SophosLab, the firm that discovered the fraud, “the apps also have downloader capabilities, if the command-and-control server instructs them to retrieve other files.” This is probably the worst danger present in the malicious files.
What’s more, the infected apps do have iOS versions, by the same developers available at the iTunes store. However, they don’t feature the hidden ad-clicking functionality.
It was also specifically designed to be persistent.
Andr/Clickr-ad, as it was identified, can persist after most process-killing methods. Even if forced to quit by system settings, it resumes operation after three minutes. Rebooting the device doesn’t work, either.
This is achieved by a fairly sophisticated method to keep running — a sync adapter. The server to which the applications are bound can issue a number of commands, creating a “well-organised” adware that can “cause serious harm to end users” in the form of battery drain and a sudden increase in data usage.
Security firms and Google must watch Andr/Clickr-ad closely
Indeed, approximately two million people were affected by the malware until Google removed the apps from the Store. It’s important to note, however, that this might be a new, hard-to-track family of adware operations.
Chen Yu, the SophosLab engineer that identified and reported the details about Andr/Clickr-ad, points out that the adware has been running since June and remained undetected.
The malware creation and operation is in constant evolution and, likewise, security measures from Google must step up to protect its users from malicious applications.