Android Adware: GhostClicker Auto-Clicks Ads To Generate Profit For Attackers

Adware that displays and automatically clicks on advertisements in order to generate a profit for the developers has been discovered in as many as 340 Android apps available through the Google Play Store.

The latest round of malicious software to make it past the Google firewall is a family of adware known as GhostClicker. The adware makes use of two unique techniques that allow it to manipulate the device’s behavior.

The first of GhostClicker’s tricks is splitting up its malicious code to avoid detection. The adware campaign spreads part of its code across the Google Mobile Services (GMS) application program interface (API) and Facebook Ad's software development kit (SDK). This allows it to bypass any security checks that might otherwise catch the threat before it got inside the walled garden of the Google Play Store.

GhostClicker’s second technique makes use of an anti-sandboxing check that prevents malware from running on a device. Sandboxes are virtual machines that are used to run and analyze code away from the operating system itself in order to find malware, and GhostClicker is able to disguise its intentions from such a check.

The methods of code camouflage have served the GhostClicker family well, as the adware has been active in apps available through the Google Play Store since August 2016, according to a report from security firm Trend Micro.

Over the course of the year that GhostClicker has been hiding in plain sight, the adware has evolved. The early iterations of the adware required administrative privileges on the device to operate, but versions currently populating the Google Play Store do not, allowing the adware to serve its purpose without drawing attention to itself with requests for permissions.

When on a device, GhostClicker targets advertisements served up via Google’s mobile-focused AdMob advertising platform—a relatively common platform for ad-clicking malware to target, as campaigns like Skyfin and Mapin have done in the past.

In addition to clicking on ads against the user’s wishes in order to generate revenue for the attackers, GhostClicker also partakes in affiliate schemes in which pop-ups and advertisements are displayed in order to try to redirect the user to other pages, including YouTube links, Google Play Store download pages and other locations.

The good news about GhostClicker, if there is any, is that it primarily driven by generating a profit for its creator by clicking ads. The malware isn’t interested in stealing a user’s personal information or login credentials—though that doesn’t mean people should just live with the malicious code on their device.

Perhaps the scariest part about GhostClicker is it’s difficult to tell if an apps contains the malicious code. While 340 apps aren’t that many in the sea of millions available in the Google Play Store, infected apps appear in just about every segment.

About 101 of the 340 known infected apps are still available to download and are posing as any number of legitimate apps. Everything from app cleaners, maintenance, file managers, barcode scanners, multimedia players and GPS navigation apps have been discovered to contain the adware.

While Google is likely to eventually remove most if not all of the infected apps over time, users should proceed with caution and keep an eye out for any suspicious activity that starts to occur on their device after downloading an app.