Three apps on Google Play use delayed attacks, self-naming tricks, and an attack list dictated by a command and control server to click on ads in the background without the user’s knowledge.
Symantec researchers discovered three malicious applications on Google Play that collected ad revenue by clicking on ads while running in the background. The three apps utilized three separate techniques (delayed attacks, self-naming tricks, and an attack list received from a command and control server [C&C]) that are relatively common on their own, but have not been seen together. Symantec detects these threats as Android.Fakeapp. We have notified Google about these apps and they have been removed from Google Play.
The three malicious apps were available on Google Play with the following package and app names:
- com.sarabase.clearmaster.speedbooster (Clear Master Boost and Clean)
- com.desive.fastercharger.fastcharger (Fast Charge 2017)
- com.qt.fastercharger (Fast Charger X3 Free)