Doctor Web: nearly 102 million Android users install clicker Trojan from Google Play directory

Clicker Trojans are common malware for building website visits and monetizing online traffic.

They simulate user actions on web pages by clicking on the links and other interactive elements located on them. Doctor Web virus analysts have detected another such Trojan on Google Play.

The Trojan is a malicious module that, according to Dr.Web classification, is named Android.Click.312.origin. It is built into ordinary applications – dictionaries, online maps, audio players, barcode scanners and other software. All these programs are workable, and for owners of Android devices look harmless. In addition, upon their launch, Android.Click.312.origin starts malicious activity after only 8 hours, so as not to cause suspicion among users.
Once launched, the Trojan sends the following information about the infected device to the management server:

manufacturer and model;
OS version
country of residence of the user and the default language of the system;
user agent identifier;
name of mobile operator;
type of internet connection;
screen options;
time zone;
Information about the application in which the Trojan is embedded.
In response, the server sends it the necessary settings. Some functions of the malicious application are implemented using reflection, and these settings contain the names of methods and classes along with parameters for them. These parameters are used, for example, to register a broadcast receiver and content observer, with which Android.Click.312.origin monitors the installation and updating of programs
When installing a new application or downloading an apk file by the Play Market client, the Trojan sends information about this program along with some technical data about the device to the management server. In response, Android.Click.312.origin receives the addresses of sites, which it then opens in an invisible WebView, as well as links that it downloads in a browser or Google Play directory.Thus, depending on the settings of the control server and the instructions received from it, the Trojan can not only advertise applications on Google Play, but also quietly download any sites, including advertisements (including video) or other questionable content. For example, after installing applications in which this Trojan was built, users complained about automatic subscriptions to expensive content provider services

Doctor Web specialists were unable to recreate the conditions for the Trojan to download such sites, however, the potential implementation of this fraudulent scheme in the case of Android.Click.312.origin is quite simple. Since the Trojan informs the management server about the type of current Internet connection, if a connection is made through the mobile operator’s network, the server can send a command to open the website of one of the partner services that support WAP-Click technology.
This technology simplifies the connection of various premium services, but it is often used to illegally subscribe users to premium services. Our company covered the indicated problem in 2017 and 2018. In some cases, a user’s confirmation is not required to connect an unnecessary service — a script located on the same page or the Trojan itself can do this for him. He will “click” on the confirmation button. And since Android.Click.312.origin will open the page of such a site in an invisible WebView, the whole procedure will pass without the knowledge and participation of the victim.
Doctor Web virus analysts have identified 34 applications in which Android.Click.312.origin has been integrated. They were installed by over 51.7 million users. In addition, a modification of the Trojan, named Android.Click.313.origin, was downloaded by at least 50,000,000 people. Thus, the total number of mobile device owners threatened by this Trojan exceeded 101.7 million. The following is a list of programs in which this clicker was found:GPS Fix
QR Code Reader
ai.type Free Emoji Keyboard
Cricket mazza live line
English Urdu Dictionary Offline – Learn English
EMI Calculator – Loan & Finance Planner
Pedometer Step Counter – Fitness Tracker
Route finder
PDF Viewer – EBook Reader
GPS Speedometer
GPS Speedometer PRO
Notepad – Text Editor
Notepad – Text Editor PRO
Who unfriended me?
Who deleted me?
GPS Route Finder & Transit: Maps Navigation Live
Muslim Prayer Times & Qibla Compass
Qibla Compass – Prayer Times, Quran, Kalma, Azan
Full Quran MP3 – 50+ Audio Translation & Languages
Al Quran Mp3 – 50 Reciters & Translation Audio
Prayer Times: Azan, Quran, Qibla Compass
Ramadan Times: Muslim Prayers, Duas, Azan & Qibla
OK Google Voice Commands (Guide)
Sikh World – Nitnem & Live Gurbani Radio
1300 Math Formulas Mega Pack
Social Studies – School Course. USE and OGE.
Bombuj – Filmy a serialy zadarmo
Video to MP3 Converter, RINGTONE Maker, MP3 Cutter
Power VPN Free VPN
Earth Live Cam – Public Webcams Online
QR & Barcode Scanner
Remove Object from Photo – Unwanted Object Remover
Cover art IRCTC Train PNR Status, NTES Rail Running Status