Android Wallpaper Apps Found Running Ad Fraud Scheme
Trend Micro has detected 15 Android wallpaper apps in the Google Play Store running click fraud schemes. So far, these apps have been downloaded well over 200,000 times. The heaviest concentration of victims were found in Italy, Taiwan, the United States, Germany, and Indonesia. Google has since removed these malicious apps from the Play Store. Click fraud is a type of fraud that takes advantage of pay per click online advertising.
Basically, the fraudster automates the clicks that would normally be a human being clicking on an ad, thus generating revenue for false clicks. Once the malware is installed, the app decodes the C2 server address for configurations and launches an HTTP GET request which communicates with the C2 for a JSON-formatted list. Next, the app gets the advertising ID from the Google Play Services and replaces some parameters on the device. The URL is then loaded and then it begins to simulate clicks on the ad page. For further details, view Trend Micro’s report.
Indicators of Compromise
SHA256
- 0995b52a9a12cf31ae19c360d56ca1a20d784eecc9b018514dbf01446f4ad36e
- 1f6907b2e8f7fa7597a28b2e7133325fcddb3e4f9e1c3cbad82afaa82bf3c57e
- b098d0ee0766558dff37761358d250a7b648c1de1556bd0345564b74a6db848c
- fbcc2c9ddc69c0f272f80051987b5ed911cd112ef6e26709b54e67cae7ce1fb6
- aec79ed8cb779474a058e89bd4f1a55a534d439af5d48751867300a885d50182
- 48d7ebf7fd65cb317e52c5d331d193bfaf3f48590b8f598292be88f26dc8464e
- 034aa9f3ceeb74acf38c0f4036bb0e89339759ed73de009207c7036eb25e14a5
- 8d643500319bd9e4eb2007ac43613bf53943b65dff25ee933d5450ecc11402b8
- 8f16246b9afc1dfb89ca8b60f1b097584b94034e0de6496bbc28e58d667c4af5
- a2ef230d3b091c0571bb0c96b456c17f94a176a2861281b6ff0b56e789e17b64
- ee6ef277ea9d8478965452e10c0c01cd7a4d13c1cd23e9ee8d2668a715f7a6b5
- fa8f9d3415bc38b679204f2c8fd983e12298e014007f2a18f7501e3c1d3d1910
- bf016cf1142b17c5a088a80feb88fb10ab9be05c20133931b7190e352a1f1b08
- bc8237bf6a9b25e71bb55c0841c1ee6ef443835bf172666a680f74badadf34f8
- d34598835b28a6ad070dd0986b0bbc336c8ba7cac9a9a22d6b3c6a99049242a6
C&C Server
- http://myukka.com/v2/xfeeds.php
- http://198.1.125.77/tracking/config.php
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.