Site icon Check Point Blog

Turkish Clicker: Check Point Finds New Malware on Google Play


The Check Point research team has discovered an extensive malware campaign on the Google Play™ store. Check Point Mobile Threat Prevention detected the first samples of malware we call “Turkish Clicker” on several customer devices. 

The malicious code was found in the apps “Fruit Life,” “City HD Wallpapers,” and “Adiyef Puzzle.” Google has removed all of these apps from Google Play.  

Like BrainTest, which Check Point researchers discovered in September 2015, this demonstrates how easy it is for fraudsters to publish malicious apps on official app stores like Google Play.

What is Turkish Clicker?

This malware is part of an ad network with a Command & Control (C&C) server located in Turkey. Several apps on Google Play contained this malware, and even though these apps have since been removed by Google, it wasn’t before they were downloaded by thousands of users. In at least one case, the app was available on Google Play for months before it was removed. Though the apps no longer appear in Google Play, they are still available on third party stores and remain on devices that installed them.  

The app packages containing malware were:

 

More importantly, Check Point researchers managed to inspect the C&C server and found 105 other package names and additional C&Cs likely related to this attack. A complete list of suspicious packages and C&Cs found on the original server is published at the end of this blog post.

How was it discovered and how does it work?

The first indication that the apps were malicious was when Check Point Mobile Threat Prevention detected unusual window overlay activity in the apps. On further investigation, researchers uncovered the full extent of the malicious activity going on behind the scenes.

After a user installs an infected app, it performs a set of actions without the user’s consent. First, it silently downloads an auto-clicking JavaScript and a list of URLs. The app then opens every URL in an invisible window.

Next, it executes the Javascript which clicks all of the clickable objects in every opened web page, including all of the advertisements. This was likely the entire objective of the campaign and was achieved remarkably well since the apps can generate enormous amounts of traffic this way.

This is the Javascript used by the apps:

function fireEvent(e, n) {

   var i = e;

   if (document.createEvent) {

       var t = document.createEvent(“MouseEvents”);

       t.initEvent(n, !0, !1), i.dispatchEvent(t)

   } else document.createEventObject && i.fireEvent(“on” + n)

}

for (var links = document.getElementsByTagName(“a”), elmalar = null, i = 0; i0) {

   fireEvent(document.links[i], “mouseover”), fireEvent(document.links[i], “mousedown”), fireEvent(document.links[i], “click”);

   break

}

While this malicious activity is happening, affected users receive no alerts and remain completely unaware of the sites being opened and ads being clicked. In at least one instance the sites being opened were pornographic in nature.

  1. App is downloaded from Google Play
  2. App downloads URL list and JS
  3. App secretly opens all the URLs on the list
  4. JavaScript is executed, clicking all adds on the opened pages

How can you protect yourself?

The discovery of previously unknown malware emphasizes the importance of implementing security solutions that can detect and mitigate threats. Although this malware was only intended to generate ad revenue, the next attack could easily target corporate or personal information on infected devices. That could put personal financial data, business records, and other sensitive information at risk.

Check Point recommends users of smartphones and tablets to download apps only from official sources and from known or trusted developers to minimize exposure to potential threats. Also, organizations who need to protect sensitive data on mobile devices should consider using a solution like Check Point Mobile Threat Prevention which is capable of identifying threats like this one.

C&Cs and Suspicious Package Names:

http://www.ultra16.eu/

[HTM] com.vizyonfilmizle.tr.php                     07-Nov-2015 12:34       4k       

[HTM] com.wu.alti.php                               25-Nov-2015 07:44       4k       

[HTM] com.wu.bes.php                                25-Nov-2015 07:44       4k       

[HTM] com.wu.bir.php                                25-Nov-2015 07:44       4k       

[HTM] com.wu.iki.php                                25-Nov-2015 07:44       4k       

[HTM] com.wu.uc.php                                 25-Nov-2015 07:44       4k     

 

http://www.ultra17.eu/

[HTM] com.mrt.bir.php                               25-Nov-2015 07:45       4k       

[HTM] com.mrt.iki.php                               25-Nov-2015 07:45       4k       

[HTM] com.mrt.uc.php                                25-Nov-2015 07:45       4k       

[HTM] com.mu.bir.php                                25-Nov-2015 07:45       4k       

[HTM] com.mu.iki.php                                25-Nov-2015 07:45       4k       

[HTM] com.mu.uc.php                                 25-Nov-2015 07:45       4k   

 

http://www.ultra18.eu/

[HTM] com.gsv.bir.php                               25-Nov-2015 07:46       4k       

[HTM] com.moo.day.php                               25-Nov-2015 07:46       4k       

[HTM] com.moo.hay.php                               25-Nov-2015 07:46       4k       

[HTM] com.moo.yt.php                                25-Nov-2015 07:46       4k       

[HTM] com.moo.ytb.php                               25-Nov-2015 07:46       4k       

[HTM] com.mrt.hay.php                               25-Nov-2015 07:46       4k       

[HTM] com.mrt.puzzle.php                            25-Nov-2015 07:46       4k     

 

http://www.ultra19.eu/

[HTM] com.gta.puzzle.php                            27-Nov-2015 12:34       4k       

[HTM] com.moo.filmtr.php                            26-Nov-2015 20:42       4k       

[HTM] com.moo.mtub.php                              26-Nov-2015 20:42       4k       

[HTM] com.poostudios.b.php                          26-Nov-2015 23:26       4k       

[HTM] com.poostudios.c.php                          26-Nov-2015 23:57       4k       

[HTM] com.poostudios.d.php                          26-Nov-2015 23:39       4k       

[HTM] com.poostuduios.a.php                         26-Nov-2015 20:43       4k       

[HTM] com.sub.puzzle.php                            29-Nov-2015 23:04       4k       

[HTM] com.vice.puzzle.php                           29-Nov-2015 20:41       4k       

[HTM] com.wria.bir.php                              26-Nov-2015 20:42       4k       

[HTM] com.wria.iki.php                              26-Nov-2015 20:42       4k       

[HTM] com.wria.uc.php                               26-Nov-2015 20:42       4k

 

http://www.ultra3.lol/

[HTM] com.axientertainment.aksi.php                 25-Nov-2015 07:39       4k       

[HTM] com.poo.gg.php                                25-Nov-2015 07:39       4k       

[HTM] com.poo.guideandreas.php                      25-Nov-2015 07:39       4k   

http://www.ultra4.lol/

[HTM] com.poo.candy.php                             25-Nov-2015 07:40       4k       

[HTM] com.poo.guideandreas.php                      25-Nov-2015 07:40       4k       

[HTM] com.poo.sway.php                              25-Nov-2015 07:40       4k       

 

http://www.ultra6.lol/

[HTM] com.poo.nia.php                               25-Nov-2015 07:40       4k       

[HTM] com.poo.nim.php                               25-Nov-2015 07:40       4k

 

http://www.ultra7.lol/

[HTM] com.pootr.a.php                               09-Oct-2015 12:42       4k  

 

http://www.ultra8.lol/

[HTM] com.trent.coin1.php                           12-Oct-2015 15:33       4k       

[HTM] com.trent.coin10.php                          12-Oct-2015 15:32       4k       

[HTM] com.trent.coin11.php                          12-Oct-2015 15:32       4k       

[HTM] com.trent.coin2.php                           12-Oct-2015 15:33       4k       

[HTM] com.trent.coin3.php                           12-Oct-2015 15:33       4k       

[HTM] com.trent.coin4.php                           12-Oct-2015 15:33       4k       

[HTM] com.trent.coin5.php                           12-Oct-2015 15:33       4k       

[HTM] com.trent.coin6.php                           12-Oct-2015 15:33       4k       

[HTM] com.trent.coin7.php                           12-Oct-2015 15:32       4k       

[HTM] com.trent.coin8.php                           12-Oct-2015 15:32       4k       

[HTM] com.trent.coin9.php                           12-Oct-2015 15:32       4k       

[HTM] com.trent.coins10.php                         11-Oct-2015 22:06       4k       

[HTM] com.trent.coins11.php                         11-Oct-2015 22:06       4k       

[HTM] com.trent.coins12.php                         12-Oct-2015 03:17       4k       

[HTM] com.trent.coins13.php                         12-Oct-2015 03:17       4k       

[HTM] com.trent.coins5.php                          11-Oct-2015 22:06       4k       

[HTM] com.trent.coins6.php                          11-Oct-2015 22:06       4k       

[HTM] com.trent.coins7.php                          11-Oct-2015 22:06       4k       

[HTM] com.trent.coins8.php                          11-Oct-2015 22:06       4k       

[HTM] com.trent.coins9.php                          11-Oct-2015 22:06       4k       

[HTM] com.trent.jk.php                              11-Oct-2015 22:06       4k       

[HTM] com.trent.mr.php                              11-Oct-2015 22:06       4k       

[HTM] com.trent.tck.php                             11-Oct-2015 22:06       4k       

[HTM] com.trent.tra.php                             11-Oct-2015 22:06       4k

 

http://www.ultra11.lol/

[HTM] com.dogan.candy.php                           25-Nov-2015 07:42       4k       

[HTM] com.dogan.clans.php                           25-Nov-2015 07:42       4k       

[HTM] com.dogan.gta.php                             25-Nov-2015 07:42       4k       

[HTM] com.dogan.tom.php                             25-Nov-2015 07:42       4k       

[HTM] com.dogan.tr.php                              25-Nov-2015 07:42       4k       

[HTM] com.dogan.tre.php                             25-Nov-2015 07:42       4k       

[HTM] com.dogan.vice.php                            25-Nov-2015 07:42       4k       

[HTM] com.ugurmencik.tr.php                         25-Nov-2015 07:42       4k       

[HTM] com.ugurmencik.tre.php                        25-Nov-2015 07:42       4k       

[HTM] com.vizyonfilmizle.tr.php                     25-Nov-2015 07:42       4k       

 

http://www.ultra12.lol/

[HTM] com.im.viewport.php                           25-Nov-2015 07:43       4k       

[HTM] com.usaport.four.php                          25-Nov-2015 07:43       4k       

[HTM] com.usaport.seven.php                         25-Nov-2015 07:43       4k       

[HTM] com.usaport.ten.php                           25-Nov-2015 07:43       4k       

[HTM] com.usaport.three.php                         25-Nov-2015 07:43       4k       

[HTM] com.usaport.twelve.php                        25-Nov-2015 07:43       4k    

 

http://www.ultra13.lol/

[HTM] com.moo.usaview.php                           25-Nov-2015 07:43       4k       

[HTM] com.moo.viewport.php                          25-Nov-2015 07:43       4k       

[HTM] com.noo.webport.php                           25-Nov-2015 07:43       4k   

 

http://www.ultra14.lol/

[HTM] com.mrmrt.five.php                            03-Nov-2015 11:00       4k       

[HTM] com.mrmrt.four.php                            03-Nov-2015 11:00       4k       

[HTM] com.mrmrt.one.php                             03-Nov-2015 11:00       4k       

[HTM] com.mrmrt.two.php                             03-Nov-2015 11:00       4k

 

http://www.ultra15.lol/

[HTM] com.express.one.php                           26-Nov-2015 14:27       4k       

[HTM] com.expresstr.alti.php                        06-Nov-2015 10:51       4k       

[HTM] com.expresstr.bes.php                         06-Nov-2015 10:49       4k       

[HTM] com.expresstr.dokuz.php                       06-Nov-2015 20:30       4k       

[HTM] com.expresstr.dort.php                        05-Nov-2015 21:15       4k       

[HTM] com.expresstr.iki.php                         05-Nov-2015 21:15       4k       

[HTM] com.expresstr.on.php                          06-Nov-2015 20:23       4k       

[HTM] com.expresstr.onbir.php                       06-Nov-2015 20:28       4k       

[HTM] com.expresstr.one.php                         05-Nov-2015 21:13       4k       

[HTM] com.expresstr.uc.php                          05-Nov-2015 21:13       4k       

[HTM] com.expresstr.yedi.php                        06-Nov-2015 10:53       4k

 

http://w.bestmobile.mobi/

com.gaprise.s2

com.gaprise.s1

com.gaprise.s3

com.boyacikitab

com.cocuk_bulmaca

com.gaprise.s2

com.gaprise.s1

com.gaprise.s3

com.axientertainment.aksi

com.dogan.candy

com.dogan.clans

com.dogan.gta

com.dogan.tom

com.dogan.tr

com.dogan.tre

com.dogan.vice

com.express.one

com.expresstr.alti

com.expresstr.bes

com.expresstr.dokuz

com.expresstr.dort

com.expresstr.iki

com.expresstr.on

com.expresstr.onbir

com.expresstr.one

com.expresstr.uc

com.expresstr.yedi

com.gsv.bir

com.gta.puzzle

com.im.viewport

com.moo.day

com.moo.filmtr

com.moo.hay

com.moo.mtub

com.moo.usaview

com.moo.viewport

com.moo.yt

com.moo.ytb

com.mrmrt.five

com.mrmrt.four

com.mrmrt.one

com.mrmrt.two

com.mrt.bir

com.mrt.hay

com.mrt.iki

com.mrt.puzzle

com.mrt.uc

com.mu.bir

com.mu.iki

com.mu.uc

com.noo.webport

com.poo.candy

com.poo.gg

com.poo.guideandreas

com.poo.nia

com.poo.nim

com.poo.sway

com.poostudios.b

com.poostudios.c

com.poostudios.d

com.poostuduios.a

com.pootr.a

com.sub.puzzle

com.trent.coin1

com.trent.coin10

com.trent.coin11

com.trent.coin2

com.trent.coin3

com.trent.coin4

com.trent.coin5

com.trent.coin6

com.trent.coin7

com.trent.coin8

com.trent.coin9

com.trent.coins10

com.trent.coins11

com.trent.coins12

com.trent.coins13

com.trent.coins5

com.trent.coins6

com.trent.coins7

com.trent.coins8

com.trent.coins9

com.trent.jk

com.trent.mr

com.trent.tck

com.trent.tra

com.ugurmencik.tr

com.ugurmencik.tre

com.usaport.four

com.usaport.seven

com.usaport.ten

com.usaport.three

com.usaport.twelve

com.vice.puzzle

com.vizyonfilmizle.tr

com.wria.bir

com.wria.iki

com.wria.uc

com.wu.alti

com.wu.bes

com.wu.bir

com.wu.iki

com.wu.uc

com.viewport.one

com.viewport.two

com.viewport.three

com.viewport.four

 

http://pop.oin.systems/com/getir.php

http://pop.oin.systems/com/new.php

http://pop.oin.systems/com/IP.php

http://pop.oin.systems/com/agent.php

http://pop.oin.systems/com/you.php

http://oin.systems/realanti.txt

market://details?id=com.king.candycrushsaga

http://oin.systems/ads/call.php

http://oin.systems/ads/url.php

http://oin.systems/ads/code1.php

http://oin.systems/ads/code2.php

http://oin.systems/realanti.txt

http://oin.systems/ads/log.php

http://oin.systems/ads/call.php

http://oin.systems/ads/url.php

http://oin.systems/ads/code1.php

http://oin.systems/ads/code2.php

http://oin.systems/realanti.txt

market://details?id=com.badoinkfree

http://oin.systems/ads/log.php

http://oin.systems/tube/time.php

 

Exit mobile version