Security Affairs
Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|Pegasus Used Against MEP Investigating Pegasus, Citizen Lab Finds|JADEPUFFER: First End-to-End AI-Driven Ransomware Operation|The Anatomy of a Shadow AI Supply-Chain Breach: Lessons from the 2026 Vercel Incident|Law enforcememt operation disrupted Malicious Residential Proxy Networks NetNut|Government and Healthcare Are the Weakest Links in Global Email Security|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Malicious Clicker apps in Google Play have 20M+ installs

Researchers discovered 16 malicious clicker apps in the official Google Play store that were downloaded by 20M+ users. Security researchers at McAfee have discovered 16 malicious clicker apps available in the official Google Play store that were installed more than 20 million times. One of these apps, called DxClean, has more than five million times […]

clicker apps

Researchers discovered 16 malicious clicker apps in the official Google Play store that were downloaded by 20M+ users.

Security researchers at McAfee have discovered 16 malicious clicker apps available in the official Google Play store that were installed more than 20 million times. One of these apps, called DxClean, has more than five million times and its user rating was of 4.1 out of 5 stars.

Clicker apps are adware software that loads ads in invisible frames or in the background and clicks them to generate revenue for the threat actors behind the campaign.

“Recently the McAfee Mobile Research Team has identified new Clicker malware that sneaked into Google Play. In total 16 applications that were previously on Google Play have been confirmed to have the malicious payload with an assumed 20 million installations.” reads the report published by McAfee.

Threat actors have concealed the malicious code in useful utility applications like Flashlight (Torch), QR readers, Camara, Unit converters, and Task managers.

clicker apps

Upon executing the clicker apps, they will downloads the configuration from a remote server and register the FCM listener to receive the push messages.

“Once the application is opened, it downloads its remote configuration by executing an HTTP request. After the configuration is downloaded, it registers the FCM (Firebase Cloud Messaging) listener to receive push messages. At first glance, it seems like well-made android software. However, it is hiding ad fraud features behind, armed with remote configuration and FCM techniques.” continues the report.

The FCM message includes multiple information, such as the functions to call and the parameters to pass them.

When the app receives an FCM message that meets some condition, the associated function starts in the background. Usually the functions instruct the device to visit websites in the background while mimicking user’s behavior. This may cause heavy network traffic and consume power while generating profit for the attackers by clicking on ads without users’ knowledge.

The experts identified two pieces of code in these clicker apps, one is “com.click.cas” library which is usedto automate clicking functionality, the second one is “com.liveposting” library that’s acts as an agent and runs hidden adware services.

All 16 Clicker apps reported by McAfee experts have been removed from Google Play, the security firm also shared

“Clicker malware targets illicit advertising revenue and can disrupt the mobile advertising ecosystem.” concludes the report Malicious behavior is cleverly hidden from detection.” concludes the report.

“we recommend having a security software installed and activated so you will be notified of any mobile threats present on your device in a timely manner. Once you remove this and other malicious applications, you can expect an extended battery time and you will notice reduced mobile data usage while ensuring that your sensitive and personal data is protected from this and other types of threats.””

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, clicker apps)

[adrotate banner=”5″]

[adrotate banner=”13″]