Turkish Clicker: Check Point Finds New Malware on Google Play
The Check Point research team has discovered an extensive malware campaign on the Google Play™ store. Check Point Mobile Threat Prevention detected the first samples of malware we call “Turkish Clicker” on several customer devices.
The malicious code was found in the apps “Fruit Life,” “City HD Wallpapers,” and “Adiyef Puzzle.” Google has removed all of these apps from Google Play.
Like BrainTest, which Check Point researchers discovered in September 2015, this demonstrates how easy it is for fraudsters to publish malicious apps on official app stores like Google Play.
What is Turkish Clicker?
This malware is part of an ad network with a Command & Control (C&C) server located in Turkey. Several apps on Google Play contained this malware, and even though these apps have since been removed by Google, it wasn’t before they were downloaded by thousands of users. In at least one case, the app was available on Google Play for months before it was removed. Though the apps no longer appear in Google Play, they are still available on third party stores and remain on devices that installed them.
The app packages containing malware were:
- com.thanhquocsocard.fruit – Fruit Life
- com.poo.sway – City HD Wallpapers
- com.studiosk.b – Adiyef Puzzle
More importantly, Check Point researchers managed to inspect the C&C server and found 105 other package names and additional C&Cs likely related to this attack. A complete list of suspicious packages and C&Cs found on the original server is published at the end of this blog post.
How was it discovered and how does it work?
The first indication that the apps were malicious was when Check Point Mobile Threat Prevention detected unusual window overlay activity in the apps. On further investigation, researchers uncovered the full extent of the malicious activity going on behind the scenes.
After a user installs an infected app, it performs a set of actions without the user’s consent. First, it silently downloads an auto-clicking JavaScript and a list of URLs. The app then opens every URL in an invisible window.
Next, it executes the Javascript which clicks all of the clickable objects in every opened web page, including all of the advertisements. This was likely the entire objective of the campaign and was achieved remarkably well since the apps can generate enormous amounts of traffic this way.
This is the Javascript used by the apps:
function fireEvent(e, n) {
var i = e;
if (document.createEvent) {
var t = document.createEvent(“MouseEvents”);
t.initEvent(n, !0, !1), i.dispatchEvent(t)
} else document.createEventObject && i.fireEvent(“on” + n)
}
for (var links = document.getElementsByTagName(“a”), elmalar = null, i = 0; i0) {
fireEvent(document.links[i], “mouseover”), fireEvent(document.links[i], “mousedown”), fireEvent(document.links[i], “click”);
break
}
While this malicious activity is happening, affected users receive no alerts and remain completely unaware of the sites being opened and ads being clicked. In at least one instance the sites being opened were pornographic in nature.
- App is downloaded from Google Play
- App downloads URL list and JS
- App secretly opens all the URLs on the list
- JavaScript is executed, clicking all adds on the opened pages
How can you protect yourself?
The discovery of previously unknown malware emphasizes the importance of implementing security solutions that can detect and mitigate threats. Although this malware was only intended to generate ad revenue, the next attack could easily target corporate or personal information on infected devices. That could put personal financial data, business records, and other sensitive information at risk.
Check Point recommends users of smartphones and tablets to download apps only from official sources and from known or trusted developers to minimize exposure to potential threats. Also, organizations who need to protect sensitive data on mobile devices should consider using a solution like Check Point Mobile Threat Prevention which is capable of identifying threats like this one.
C&Cs and Suspicious Package Names:
[HTM] com.vizyonfilmizle.tr.php 07-Nov-2015 12:34 4k
[HTM] com.wu.alti.php 25-Nov-2015 07:44 4k
[HTM] com.wu.bes.php 25-Nov-2015 07:44 4k
[HTM] com.wu.bir.php 25-Nov-2015 07:44 4k
[HTM] com.wu.iki.php 25-Nov-2015 07:44 4k
[HTM] com.wu.uc.php 25-Nov-2015 07:44 4k
[HTM] com.mrt.bir.php 25-Nov-2015 07:45 4k
[HTM] com.mrt.iki.php 25-Nov-2015 07:45 4k
[HTM] com.mrt.uc.php 25-Nov-2015 07:45 4k
[HTM] com.mu.bir.php 25-Nov-2015 07:45 4k
[HTM] com.mu.iki.php 25-Nov-2015 07:45 4k
[HTM] com.mu.uc.php 25-Nov-2015 07:45 4k
[HTM] com.gsv.bir.php 25-Nov-2015 07:46 4k
[HTM] com.moo.day.php 25-Nov-2015 07:46 4k
[HTM] com.moo.hay.php 25-Nov-2015 07:46 4k
[HTM] com.moo.yt.php 25-Nov-2015 07:46 4k
[HTM] com.moo.ytb.php 25-Nov-2015 07:46 4k
[HTM] com.mrt.hay.php 25-Nov-2015 07:46 4k
[HTM] com.mrt.puzzle.php 25-Nov-2015 07:46 4k
[HTM] com.gta.puzzle.php 27-Nov-2015 12:34 4k
[HTM] com.moo.filmtr.php 26-Nov-2015 20:42 4k
[HTM] com.moo.mtub.php 26-Nov-2015 20:42 4k
[HTM] com.poostudios.b.php 26-Nov-2015 23:26 4k
[HTM] com.poostudios.c.php 26-Nov-2015 23:57 4k
[HTM] com.poostudios.d.php 26-Nov-2015 23:39 4k
[HTM] com.poostuduios.a.php 26-Nov-2015 20:43 4k
[HTM] com.sub.puzzle.php 29-Nov-2015 23:04 4k
[HTM] com.vice.puzzle.php 29-Nov-2015 20:41 4k
[HTM] com.wria.bir.php 26-Nov-2015 20:42 4k
[HTM] com.wria.iki.php 26-Nov-2015 20:42 4k
[HTM] com.wria.uc.php 26-Nov-2015 20:42 4k
[HTM] com.axientertainment.aksi.php 25-Nov-2015 07:39 4k
[HTM] com.poo.gg.php 25-Nov-2015 07:39 4k
[HTM] com.poo.guideandreas.php 25-Nov-2015 07:39 4k
[HTM] com.poo.candy.php 25-Nov-2015 07:40 4k
[HTM] com.poo.guideandreas.php 25-Nov-2015 07:40 4k
[HTM] com.poo.sway.php 25-Nov-2015 07:40 4k
[HTM] com.poo.nia.php 25-Nov-2015 07:40 4k
[HTM] com.poo.nim.php 25-Nov-2015 07:40 4k
[HTM] com.pootr.a.php 09-Oct-2015 12:42 4k
[HTM] com.trent.coin1.php 12-Oct-2015 15:33 4k
[HTM] com.trent.coin10.php 12-Oct-2015 15:32 4k
[HTM] com.trent.coin11.php 12-Oct-2015 15:32 4k
[HTM] com.trent.coin2.php 12-Oct-2015 15:33 4k
[HTM] com.trent.coin3.php 12-Oct-2015 15:33 4k
[HTM] com.trent.coin4.php 12-Oct-2015 15:33 4k
[HTM] com.trent.coin5.php 12-Oct-2015 15:33 4k
[HTM] com.trent.coin6.php 12-Oct-2015 15:33 4k
[HTM] com.trent.coin7.php 12-Oct-2015 15:32 4k
[HTM] com.trent.coin8.php 12-Oct-2015 15:32 4k
[HTM] com.trent.coin9.php 12-Oct-2015 15:32 4k
[HTM] com.trent.coins10.php 11-Oct-2015 22:06 4k
[HTM] com.trent.coins11.php 11-Oct-2015 22:06 4k
[HTM] com.trent.coins12.php 12-Oct-2015 03:17 4k
[HTM] com.trent.coins13.php 12-Oct-2015 03:17 4k
[HTM] com.trent.coins5.php 11-Oct-2015 22:06 4k
[HTM] com.trent.coins6.php 11-Oct-2015 22:06 4k
[HTM] com.trent.coins7.php 11-Oct-2015 22:06 4k
[HTM] com.trent.coins8.php 11-Oct-2015 22:06 4k
[HTM] com.trent.coins9.php 11-Oct-2015 22:06 4k
[HTM] com.trent.jk.php 11-Oct-2015 22:06 4k
[HTM] com.trent.mr.php 11-Oct-2015 22:06 4k
[HTM] com.trent.tck.php 11-Oct-2015 22:06 4k
[HTM] com.trent.tra.php 11-Oct-2015 22:06 4k
[HTM] com.dogan.candy.php 25-Nov-2015 07:42 4k
[HTM] com.dogan.clans.php 25-Nov-2015 07:42 4k
[HTM] com.dogan.gta.php 25-Nov-2015 07:42 4k
[HTM] com.dogan.tom.php 25-Nov-2015 07:42 4k
[HTM] com.dogan.tr.php 25-Nov-2015 07:42 4k
[HTM] com.dogan.tre.php 25-Nov-2015 07:42 4k
[HTM] com.dogan.vice.php 25-Nov-2015 07:42 4k
[HTM] com.ugurmencik.tr.php 25-Nov-2015 07:42 4k
[HTM] com.ugurmencik.tre.php 25-Nov-2015 07:42 4k
[HTM] com.vizyonfilmizle.tr.php 25-Nov-2015 07:42 4k
[HTM] com.im.viewport.php 25-Nov-2015 07:43 4k
[HTM] com.usaport.four.php 25-Nov-2015 07:43 4k
[HTM] com.usaport.seven.php 25-Nov-2015 07:43 4k
[HTM] com.usaport.ten.php 25-Nov-2015 07:43 4k
[HTM] com.usaport.three.php 25-Nov-2015 07:43 4k
[HTM] com.usaport.twelve.php 25-Nov-2015 07:43 4k
[HTM] com.moo.usaview.php 25-Nov-2015 07:43 4k
[HTM] com.moo.viewport.php 25-Nov-2015 07:43 4k
[HTM] com.noo.webport.php 25-Nov-2015 07:43 4k
[HTM] com.mrmrt.five.php 03-Nov-2015 11:00 4k
[HTM] com.mrmrt.four.php 03-Nov-2015 11:00 4k
[HTM] com.mrmrt.one.php 03-Nov-2015 11:00 4k
[HTM] com.mrmrt.two.php 03-Nov-2015 11:00 4k
[HTM] com.express.one.php 26-Nov-2015 14:27 4k
[HTM] com.expresstr.alti.php 06-Nov-2015 10:51 4k
[HTM] com.expresstr.bes.php 06-Nov-2015 10:49 4k
[HTM] com.expresstr.dokuz.php 06-Nov-2015 20:30 4k
[HTM] com.expresstr.dort.php 05-Nov-2015 21:15 4k
[HTM] com.expresstr.iki.php 05-Nov-2015 21:15 4k
[HTM] com.expresstr.on.php 06-Nov-2015 20:23 4k
[HTM] com.expresstr.onbir.php 06-Nov-2015 20:28 4k
[HTM] com.expresstr.one.php 05-Nov-2015 21:13 4k
[HTM] com.expresstr.uc.php 05-Nov-2015 21:13 4k
[HTM] com.expresstr.yedi.php 06-Nov-2015 10:53 4k
com.gaprise.s2
com.gaprise.s1
com.gaprise.s3
com.boyacikitab
com.cocuk_bulmaca
com.gaprise.s2
com.gaprise.s1
com.gaprise.s3
com.axientertainment.aksi
com.dogan.candy
com.dogan.clans
com.dogan.gta
com.dogan.tom
com.dogan.tr
com.dogan.tre
com.dogan.vice
com.express.one
com.expresstr.alti
com.expresstr.bes
com.expresstr.dokuz
com.expresstr.dort
com.expresstr.iki
com.expresstr.on
com.expresstr.onbir
com.expresstr.one
com.expresstr.uc
com.expresstr.yedi
com.gsv.bir
com.gta.puzzle
com.im.viewport
com.moo.day
com.moo.filmtr
com.moo.hay
com.moo.mtub
com.moo.usaview
com.moo.viewport
com.moo.yt
com.moo.ytb
com.mrmrt.five
com.mrmrt.four
com.mrmrt.one
com.mrmrt.two
com.mrt.bir
com.mrt.hay
com.mrt.iki
com.mrt.puzzle
com.mrt.uc
com.mu.bir
com.mu.iki
com.mu.uc
com.noo.webport
com.poo.candy
com.poo.guideandreas
com.poo.nia
com.poo.nim
com.poo.sway
com.poostudios.b
com.poostudios.c
com.poostudios.d
com.poostuduios.a
com.pootr.a
com.sub.puzzle
com.trent.coin1
com.trent.coin10
com.trent.coin11
com.trent.coin2
com.trent.coin3
com.trent.coin4
com.trent.coin5
com.trent.coin6
com.trent.coin7
com.trent.coin8
com.trent.coin9
com.trent.coins10
com.trent.coins11
com.trent.coins12
com.trent.coins13
com.trent.coins5
com.trent.coins6
com.trent.coins7
com.trent.coins8
com.trent.coins9
com.trent.jk
com.trent.mr
com.trent.tck
com.trent.tra
com.ugurmencik.tr
com.ugurmencik.tre
com.usaport.four
com.usaport.seven
com.usaport.ten
com.usaport.three
com.usaport.twelve
com.vice.puzzle
com.vizyonfilmizle.tr
com.wria.bir
com.wria.iki
com.wria.uc
com.wu.alti
com.wu.bes
com.wu.bir
com.wu.iki
com.wu.uc
com.viewport.one
com.viewport.two
com.viewport.three
com.viewport.four
http://pop.oin.systems/com/getir.php
http://pop.oin.systems/com/new.php
http://pop.oin.systems/com/IP.php
http://pop.oin.systems/com/agent.php
http://pop.oin.systems/com/you.php
http://oin.systems/realanti.txt
market://details?id=com.king.candycrushsaga
http://oin.systems/ads/call.php
http://oin.systems/ads/url.php
http://oin.systems/ads/code1.php
http://oin.systems/ads/code2.php
http://oin.systems/realanti.txt
http://oin.systems/ads/log.php
http://oin.systems/ads/call.php
http://oin.systems/ads/url.php
http://oin.systems/ads/code1.php
http://oin.systems/ads/code2.php
http://oin.systems/realanti.txt
market://details?id=com.badoinkfree
http://oin.systems/ads/log.php
http://oin.systems/tube/time.php