Trojan clicker's gaze cast upon Google Play store - Malwarebytes Labs

Trojan clicker’s gaze cast upon Google Play store

Posted: June 2, 2016 by Nathan Collier
Last updated: June 13, 2016

We’ve discovered a Trojan clicker on the Google Play store doing far more than advertised.

The app name in Turkish is “Mayis Guzel Aydir”, which roughly translates to “May is a Beautiful Month”.

When you open the app, the full-screen eyeball gives off a definite 2001: A Space Odyssey vibe:

After attempting to get the program to work and failing, you’ll quickly become bored and uninstall it. However, the whole time the app is on board, it is doing quite a bit in the background.

None the wiser, you may have removed the app, but the damage has already been done.

To see what “Mayis Guzel Aydir” is really up to, we first look in the decompiled Jar code. Within the code, an OnCreate() function is found containing a suspicious website. The app directs to the suspicious website whenever the app is opened.

After manually browsing to the website found within the OnCreate() function, JavaScript code lies in wait. Once run, the JavaScript code randomly selects from a list of websites, and “clicks” (browses/opens) to them in the background. All the websites found in the list contain adult/explicit material.

Over and over again, the app clicks on these various websites. The purpose of this is to gain revenue on a pay-per-click basis; thus, it’s called a clicker. In this case, we call it Trojan.PornClicker. Every time the app clicks any of these websites, the bad guys get paid and you are left with some embarrassing network traffic.

“Mayis Guzel Aydir” had 1,000 – 5,000 installs and 3.2 star rating with 383 ratings given on Google Play at the time of this blog post. It had no description, and only a few screenshots of a calculator app which doesn’t exactly line up with the app name. There were also several other versions of this app with the same app name but a number at the end; i.e. “Mayis Guzel Aydir 2”. At time of writing, the app has been taken down, but there may be others still out there. Porn clickers are a lucrative money spinner.

Although you may expect something from Google Play to be safe, the lesson here is to always be wary of suspicious apps no matter the source. Even with all the checks Google performs on apps before allowing them on the Play store, no system can be one hundred percent safe when the bad guys are constantly looking for cracks to exploit.

Nathan Collier

COMMENTS

Trojan clicker’s gaze cast upon Google Play store

A week in security (May 13 – 19)

Awakening the beast: BatMobi adware

A week in security (February 18 – 24)

Browser push notifications: a feature asking to be abused

A week in security (January 7 – 13)

Cybersecurity info you can't do without