Original topic:

🚨🚨 Warning : Android App Fraud – Haken Clicker and Joker Premium Dialer

(Topic created on: 02-26-2020 12:14 PM)
670 Views
GabyThe911Operator
Active Level 10
Options
Galaxy S
Research by: Ohad Mana, Israel Wernik, Bogdan Melnykov, Aviran Hazum

Intro

Check Point researchers have recently discovered a new clicker malware family, along with fresh samples of the Joker malware family in Google Play.
Throughout this publication we present a brief overview of the malicious campaigns, and describe the technical analysis that has been performed around the two families of malware.

Analysis

‘Haken’ & ‘BearClod’ Clickers:

  • Overview:

Clickers, malware that mimics the user and perform ‘clicks’ on ads, are a rising threat in the mobile industry. Recently, UpsteamSystems published a report regarding a clicker dubbed ‘ai.type’ or ‘BearClod’. We have observed an increase in activity and scale of the operation behind this clicker, with 47 new applications that were available on Google Play, and were downloaded more than 78 million times by users.

While monitoring the increased activity of ‘BearClod’, we were able to find another clicker family: ‘Haken’. This campaign has just begun its path in Google Play. With 8 malicious applications, and over 50,000 downloads, the clicker aims to get a hold of as many devices as possible to generate illegitimate profit.

 

Figure 1 – Haken Clicker Application on Google Play

Figure 2 – Haken Clicker Details from Google Play

Figure 3 – Google Play reviews and comments for Haken Clicker
  • Capabilities:

Both ‘BearCloud’ and ‘Haken’ clicker families use different approaches for the implementation of the clicking functionality. While the ‘BearClod’ utilizes a web-view creation and loading of malicious JavaScript code that performs the clicking, the Haken clicker utilizes native code and injection to Facebook and AdMob libraries while communicating with a remote server to get the configuration.

The first entry point of the Haken clicker is the receiver called ‘BaseReceiver’. This receiver asks for permissions that the backdoored app (in this case, a compass application that actually provides a compass service) does not require to function, for instance,BOOT_COMPLETED which let the backdoored application to run code at device start-up.

Figure 4 – Haken Clicker Permissions

This BaseReceiver loads a native library ‘kagu-lib’ and calls from it a method called ‘startTicks’, which after inspection calls the method ‘clm’ from ‘com/google/android/gms/internal/JHandler’. This class registers two workers and a timer. One worker communicates with the C&C server to download a new configuration and process it, while the other is triggered by the timer, checks for requirements and injects code into the Ad-related Activity classes of well-known Ad-SDK’s like Google’s AdMob and Facebook.

Figure 5 – startTicks function

Figure 6 – Communication with C&C to get configuration

Figure 7 – Processing the configuration

 

Figure 8 – Injection into Facebook and Google

The clicking functionality is implemented in the code that was injected into the Ad-SDK’s ‘onCreate’ function, in this case, it’s the ‘yzt.sta’ method.

                                                    Figure 9 – Calling the injected code    

While using ‘MotionEvent’ to mimic user clicks, those functions are called via reflection.

Figure 10 – Clicking on ads received from the Ad-SDK via reflection on MotionEvent’s obtain.

After reporting this threat to Google, all of the affected applications were removed from Google Play, and most of them have already published a new version without the threat.

Continuing to read : https://research.checkpoint.com/2020/android-app-fraud-haken-clicker-and-joker-premium-dialer/
3 Comments
Galaxy S
you made me really scared, I downloaded a compass app on my phone, good thing it's not hacked
SeamusDelion
Active Level 7
Galaxy S
Yeah! I like the compas is the Samsung phone in the side pannel, I use it when getting off the subway in areas I'm unfamiliar with!
0 Likes
SeamusDelion
Active Level 7
Galaxy S
Thank you!
0 Likes