Trojan clicker’s gaze cast upon Google Play store

Posted: June 2, 2016 by Nathan Collier
Last updated: June 13, 2016

We’ve discovered a Trojan clicker on the Google Play store doing far more than advertised.

The app name in Turkish is “Mayis Guzel Aydir”, which roughly translates to “May is a Beautiful Month”.

When you open the app, the full-screen eyeball gives off a definite 2001: A Space Odyssey vibe:

After attempting to get the program to work and failing, you’ll quickly become bored and uninstall it. However, the whole time the app is on board, it is doing quite a bit in the background.

None the wiser, you may have removed the app, but the damage has already been done.

To see what “Mayis Guzel Aydir” is really up to, we first look in the decompiled Jar code. Within the code, an OnCreate() function is found containing a suspicious website. The app directs to the suspicious website whenever the app is opened.

After manually browsing to the website found within the OnCreate() function, JavaScript code lies in wait. Once run, the JavaScript code randomly selects from a list of websites, and “clicks” (browses/opens) to them in the background. All the websites found in the list contain adult/explicit material.

Over and over again, the app clicks on these various websites. The purpose of this is to gain revenue on a pay-per-click basis; thus, it’s called a clicker. In this case, we call it Trojan.PornClicker. Every time the app clicks any of these websites, the bad guys get paid and you are left with some embarrassing network traffic.

“Mayis Guzel Aydir” had 1,000 – 5,000 installs and 3.2 star rating with 383 ratings given on Google Play at the time of this blog post. It had no description, and only a few screenshots of a calculator app which doesn’t exactly line up with the app name. There were also several other versions of this app with the same app name but a number at the end; i.e. “Mayis Guzel Aydir 2”. At time of writing, the app has been taken down, but there may be others still out there. Porn clickers are a lucrative money spinner.

Although you may expect something from Google Play to be safe, the lesson here is to always be wary of suspicious apps no matter the source. Even with all the checks Google performs on apps before allowing them on the Play store, no system can be one hundred percent safe when the bad guys are constantly looking for cracks to exploit.

Nathan Collier

COMMENTS

Eric Vanhove

I’d translate it to “May is certainly a nice month”… terrible malware, though.
Alesha Marin

“Although you may expect something from Google Play to be safe”
Wait, people are actually expecting Google Play to be safe??? LOL, there is nothing safe about android… >.<
AmericanIndependent121

There is nothing safe about using a smartphone without having the proper security, period. Now that more people have switched over to the mobile platform, hackers everywhere are looking for new ways to steal someone’s information.

For instance, someone I know once got malware on their iPhone after they downloaded what looked to be a malicious app from the Apple store. However, it was removed after they used a paid version of Malwarebytes…or something similar to it anyway.

With that being said, in my opinion, Malwarebytes and HitmanPro are among THE best anti-malware scanners out on the market today. They have both delivered proven results many times before. For that reasoning, I continue to recommend both scanners to everyone that I know.
Alesha Marin

Applications in the APP store are scanned for malware before being published. You are a liar sir. Your friends probably jailbroked their phone and downloaded the crapware from Cydia, not from Apple App Store.
Atampy26

Looks like someone didn’t hear of XcodeGhost
Matthew Carter

Such a useful information… thank you. Im so glad i bought Malwarebytes app… its so worth it.
Blackbird Woman

Yes you are right..i tend to give Google a lot of kudos for being safe but sometimes the bad guys get it .

RELATED ARTICLES

Cybercrime | Malware

Intentional PE Corruption

April 30, 2012 - Malwarebytes Anti-Malware is under constant attack. 24 hours per day, 7 days per week, 365 days per year. If you read my recent blog post about the development of Malwarebytes Chameleon, you know that we at Malwarebytes have big red ‘X’s on our chests; the bad guys are always out to get us. Malwarebytes Anti-Malware...

CONTINUE READING 14 Comments

Cybercrime | Malware

The Cat-and-Mouse Game: The Story of Malwarebytes Chameleon

April 24, 2012 - The fight against malware is a cat-and-mouse game. It is constant and constantly escalating. They make a move, you counter it, they counter your counter, lather, rinse, repeat. What’s more: malware almost always has the advantage. Our software Malwarebytes Anti-Malware earned a reputation for having a high success rate in combating new in-the-wild malware infections:...

CONTINUE READING 7 Comments

Cybercrime | Hacking

Cybercrime at $12.5 Billion: The Great Underreported Threat

May 7, 2012 - From the outside looking in, it may appear that the press regularly reports stories when a company’s website, database or intellectual property has been hacked, stolen or compromised. The more eye-opening fact of the matter is that the scale and scope of the cybercrime problem is much, much larger and the actual incidences of these...

CONTINUE READING 2 Comments

Cybercrime | Hacking

DDOS, Botnets and Worms…Oh My!

May 14, 2012 - The recent attack on the Serious Organized Crime Agency (SOCA), most likely in response to the 36 data selling sites shut down a few weeks ago, lead to the admission by high ranking SOCA officials that the Ministry of Defense networks need to “beef up their security.” In response to this we would like to...

CONTINUE READING 1 Comment

Cybercrime | Exploits

“The Sky is Falling… Are You at Risk from the Flame Malware?”

June 1, 2012 - The last time I checked with Google News this morning there were over 19,100,000 results for “flame malware”. You may have heard many stories this week about this complex trojan. Here are links to three of my current personal favorite articles on “Flame”. Powerful ‘Flame’ cyberweapon tied to popular Angry Birds game – (Fox News)...

CONTINUE READING 3 Comments

ABOUT THE AUTHOR

Nathan Collier
Senior Malware Intelligence Analyst

Full time mobile malware researcher, part time endurance mountain bike athlete and world traveler. As nerdy about biking as he is about mobile malware.

CATEGORIES

101 Cybercrime Malwarebytes news PUP Security world

TOP POSTS