We live in a world where advertisements are everywhere, and it’s no surprise that users are becoming tired of them. By contrast, developers are driven by profit and seek to incorporate more advertisements into their apps. However, there exist certain apps that manage to generate profit without subjecting users to the annoyance of ads. Is this really good?
Recently, McAfee’s Mobile Research Team discovered a concerning practice among some apps distributed through Google Play. These apps load ads while the device’s screen is off, which might initially seem convenient for users. However, it’s a clear violation of Google Play Developer policy on how ads should be displayed. This affects not only the advertisers who pay for invisible Ads, but also the users as it drains battery, consumes data and poses potential risks such as information leaks and disruption of user profiling caused by Clicker behavior.
The team has identified 43 apps that collectively downloaded 2.5 million times. Among the targeted apps are TV/DMB Player, Music Downloader, News, and Calendar applications. McAfee is a member of the App Defense Alliance focused on protecting users by preventing threats from reaching their devices and improving app quality across the ecosystem. We reported the discovered apps to Google, which took prompt action. Most apps are no longer available on Google Play while others are updated by the developer. McAfee Mobile Security detects this threat as Android/Clicker. For more information, and to get fully protected, visit McAfee Mobile Security.
Many affected apps
How does it work?
This ad fraud library uses specific tactics to avoid detection and inspection. It deliberately delays the initiation of its fraudulent activities, creating a latent period from the time of installation. What’s more, all the intricate configurations of this library can be remotely modified and pushed using Firebase Storage or Messaging service. These factors significantly add to the complexity of identifying and analyzing this fraudulent behavior. Notably, the latent period typically spans several weeks, which makes it challenging to detect.
Getting latent period by using Firebase Messaging Service
It is important to be cautious about the implications of granting permissions, such as excluding ‘power saving’ and allowing ‘draw over other apps’. These permissions can enable certain activities to occur discreetly in the background, raising concerns about the intentions and behavior of the applications or libraries in question. Allowing these permissions can result in more malicious behavior, such as displaying phishing pages, also to displaying ads in the background.
Asked permissions to run in the background and keep it hidden
When the device screen is turned off after the latent period, the fetching and loading of ads starts, resulting in users being unaware of the presence of running advertisements on their devices. This ad library registers device information by accessing the unique domain (ex: mppado.oooocooo.com) linked with the application. Then go to Firebase Storage to get the specific advertisement URL and show the ads. It is important to note that this process consumes power and mobile data resources.
Observed traffic when the screen off
If users quickly turn on their screens at this point, they might catch a glimpse of the ad before it is automatically closed.
Example of an advertising site displayed when the screen is off
In conclusion, it is essential for users to exercise caution and carefully evaluate the necessity of granting permissions like power saving exclusion, or draw over other apps before allowing them. While these permissions might be required for certain legitimate functionalities for running in the background, it is important to consider the potential risks linked with them, such as enabling hidden behaviors or reducing the relevance of ads and contents displayed to users because the hidden Clicker behavior. By using McAfee Mobile Security products, users can further safeguard their devices and mitigate the risks linked with these kinds of malware, providing a safer and more secure experience. For more information, visit McAfee Mobile Security
Indicators of Compromise (IoC’s)
Domains:
best.7080music.com
m.gooogoole.com
barocom.mgooogl.com
newcom.mgooogl.com
easydmb.mgooogl.com
freekr.mgooogl.com
fivedmb.mgooogl.com
krlive.mgooogl.com
sixdmb.mgooogl.com
onairshop.mgooogle.com
livedmb.mgooogle.com
krbaro.mgooogle.com
onairlive.mgooogle.com
krdmb.mgooogle.com
onairbest.ocooooo.com
dmbtv.ocooooo.com
ringtones.ocooooo.com
onairmedia.ocooooo.com
onairnine.ocooooo.com
liveplay.oocooooo.com
liveplus.oocooooo.com
liveonair.oocooooo.com
eightonair.oocooooo.com
krmedia.oocooooo.com
kronair.oocooooo.com
newkrbada.ooooccoo.com
trot.ooooccoo.com
thememusic.ooooccoo.com
trot.ooooccoo.com
goodkrsea.ooooccoo.com
krlive.ooooccoo.com
news.ooooccoo.com
bestpado.ooooccoo.com
krtv.oooocooo.com
onairbaro.oooocooo.com
barolive.oooocooo.com
mppado.oooocooo.com
dmblive.oooocooo.com
baromedia.oooocooo.com
musicbada.oouooo.com
barolive.oouooo.com
sea.oouooo.com
blackmusic.oouooo.com
Android Packages
| Package Name | Application Name | SHA256 | Google Play Downloads |
| band.kr.com | DMB TV | f3e5aebdbd5cd94606211b04684730656e0eeb1d08f4457062e25e7f05d1c2d1 | 10,000+ |
| com.dmb.media | DMB TV | 6aaaa6f579f6a1904dcf38315607d6a5a2ca15cc78920743cf85cc4b0b892050 | 100,000+ |
| dmb.onair.media | DMB TV | a98c5170da2fdee71b699ee145bfe4bdcb586b623bbb364a93bb8bdf8dbc4537 | 10,000+ |
| easy.kr | DMB TV | 5ec8244b2b1f516fd96b0574dc044dd40076ff7aa7dadb02dfefbd92fc3774bf | 100,000+ |
| kr.dmb.onair | DMB TV | e81c0fef52065864ee5021e1d4c7c78d6a407579e1d48fc4cf5551ff0540fdb8 | 5,000+ |
| livedmb.kr | DMB TV | 33e5606983526757fef2f6c1da26474f4f9bf34e966d3c204772de45f42a6107 | 50,000+ |
| stream.kr.com | DMB TV | a13e26bce41f601a9fafdec8003c5fd14908856afbab63706b133318bc61b769 | 100+ |
| com.breakingnews.player | 뉴스 속보 | d27b8e07b7d79086af2fa805ef8d77ee51d86a02d81f2b8236febb92cb9b242d | 10,000+ |
| jowonsoft.android.calendar | 달력 | 46757b1f785f2b3cec2906a97597b7db4bfba168086b60dd6d58d5a8aef9e874 | 10,000+ |
| com.music.free.bada | 뮤직다운 | a3fe9f9b531ab6fe79ed886909f9520a0d0ae98cf11a98f061dc179800aa5931 | 100,000+ |
| com.musicdown | 뮤직다운 | 5f8eb3f86fc608f9de495ff0e65b866a78c25a9260da04ebca461784f039ba16 | 5,000+ |
| new.kr.com | 뮤직다운 | 397373c39352ef63786fe70923a58d26cdf9b23fa662f3133ebcbc0c5b837b66 | 100,000+ |
| baro.com | 바로TV | 3b4302d00e21cbf691ddb20b55b045712bad7fa71eb570dd8d3d41b8d16ce919 | 10,000+ |
| baro.live.tv | 바로TV | 760aa1a6c0d1e8e4e2d3258e197ce704994b24e8edfd48ef7558454893796ebe | 50,000+ |
| baro.onair.media | 바로TV | b83a346e18ca20ac5165bc1ce1c8807e89d05abc6a1df0adc3f1f0ad4bb5cd0c | 10,000+ |
| kr.baro.dmb | 바로TV | 84a4426b1f8ea2ddb66f12ef383a0762a011d98ff96c27a0122558babdaf0765 | 100,000+ |
| kr.live | 바로TV | cccfdf95f74add21da546a03c8ec06c7832ba11091c6d491b0aadaf0e2e57bcc | 1,000+ |
| newlive.com | 바로TV | c76af429fabcfd73066302eeb9dd1235fd181583e6ee9ee9015952e20b4f65bf | 50,000+ |
| onair.baro.media | 바로TV | 6c61059da2ae3a8d130c50295370baad13866d7e5dc847f620ad171cc01a39e9 | 10,000+ |
| freemusic.ringtone.player | 벨소리 무료다운 | 75c74e204d5695c75209b74b10b3469babec1f7ef84c7a7facb5b5e91be0ae3e | 100,000+ |
| com.app.allplayer | 실시간 TV | 8d881890cfa071f49301cfe9add6442d633c01935811b6caced813de5c6c6534 | 50,000+ |
| com.onair.shop | 실시간 TV | 1501dd8267240b0db0ba00e7bde647733230383d6b67678fc6f0c7f3962bd0d3 | 50,000+ |
| eight.krdmb.onair | 실시간 TV | bbd6ddbfee7482fe3fe8b5d96f3be85e09352711a36cd8cf88cfdeaf6ff90c79 | 10,000+ |
| free.kr | 실시간 TV | 5f864aa88de07a10045849a7906f616d079eef94cd463e40036760f712361f79 | 10,000+ |
| kr.dmb.nine | 실시간 TV | ea49ad38dd7500a6ac12613afe705eb1a4bcab5bcd77ef24f2b9a480a34e4f46 | 100,000+ |
| kr.live.com | 실시간 TV | f09cff8a05a92ddf388e56ecd66644bf88d826c5b2a4419f371721429c1359a7 | 10,000+ |
| kr.live.onair | 실시간 TV | e8d2068d086d376f1b78d9e510a873ba1abd59703c2267224aa58d3fca2cacbd | 100,000+ |
| kr.live.tv | 실시간 TV | 1b64283e5d7e91cae91643a7dcdde74a188ea8bde1cf745159aac76a3417346e | 50,000+ |
| kr.media.onair | 실시간 TV | bd0ac9b7717f710e74088df480bde629e54289a61fc23bee60fd0ea560d39952 | 100,000+ |
| kr.onair.media | 실시간 TV | d7dd4766043d4f7f640c7c3fabd08b1a7ccbb93eba88cf766a0de008a569ae4d | 1,000+ |
| live.kr.onair | 실시간 TV | b84b22bc0146f48982105945bbab233fc21306f0f95503a1f2f578c1149d7e46 | 10,000+ |
| live.play.com | 실시간 TV | 516032d21edc2ef4fef389d999df76603538d1bbd9d357a995e3ce4f274a9922 | 50,000+ |
| new.com | 실시간 TV | 5d07a113ce389e430bab70a5409f5d7ca261bcdb47e4d8047ae7f3507f044b08 | 50,000+ |
| newlive.kr | 실시간 TV | afc8c1c6f74abfadd8b0490b454eebd7f68c7706a748e4f67acb127ce9772cdb | 100,000+ |
| onair.best | 실시간 TV | 6234eadfe70231972a4c05ff91be016f7c8af1a8b080de0085de046954c9e8e7 | 50,000+ |
| com.m.music.free | 음악다운 | ded860430c581628ea5ca81a2f0f0a485cf2eeb9feafe5c6859b9ecc54a964b2 | 500,000+ |
| good.kr.com | 음악다운 | bede67693a6c9a51889f949a83ff601b1105c17c0ca5904906373750b3802e91 | 100,000+ |
| new.music.com | 음악다운 | fee6cc8b606cf31e55d85a7f0bf7751e700156ce5f7376348e3357d3b4ec0957 | 1,000+ |
| play.com.apps | 음악다운 | b2c1caab0e09b4e99d5d5fd403c506d93497ddb2de3e32931237550dbdbe7f06 | 100,000+ |
| com.alltrot.player | 트로트 노래모음 | 469792f4b9e4320faf0746f09ebbcd8b7cd698a04eef12112d1db03b426ff70c | 50,000+ |
| com.trotmusic.player | 트로트 노래모음 | 879014bc1e71d7d14265e57c46c2b26537a81020cc105a030f281b1cc43aeb77 | 5,000+ |
| best.kr.com | 파도 MP3 | f2bbe087c3b4902a199710a022adf8b57fd927acac0895ab85cfd3e61c376ea5 | 100,000+ |
| com.pado.music.mp3 | 파도 MP3 | 9c84c91f28eadd0a93ef055809ca3bceb10a283955c9403ef1a39373139d59f2 | 100,000+ |
source: McAfee Labs
