16 Malicious Apps Removed from Google Play After 20 Million Downloads
Security experts at McAfee have reported that 16 malicious apps have been removed from the Google Play Store after being downloaded more than 20 million times in total. All of these apps were infected with the Clicker adware and disguised themselves as harmless utilities.
Researchers explain that Clicker could be downloaded under the guise of a flashlight, camera, currency or unit converter, QR code scanner, note-taking app, or dictionary. These apps appeared to offer useful features but secretly engaged in ad fraud.
Full List of Dangerous Apps
- High-Speed Camera (com.hantor.CozyCamera) β over 10,000,000 downloads
- Smart Task Manager (com.james.SmartTaskManager) β over 5,000,000 downloads
- Flashlight+ (kr.caramel.flash_plus) β over 1,000,000 downloads
- λ¬λ ₯λ©λͺ¨μ₯ (com.smh.memocalendar) β over 1,000,000 downloads
- K-Dictionary (com.joysoft.wordBook) β over 1,000,000 downloads
- BusanBus (com.kmshack.BusanBus) β over 1,000,000 downloads
- Flashlight+ (com.candlencom.candleprotest) β over 500,000 downloads
- Quick Note (com.movinapp.quicknote) β over 500,000 downloads
- Currency Converter (com.smartwho.SmartCurrencyConverter) β over 500,000 downloads
- Joycode (com.joysoft.barcode) β over 100,000 downloads
- EzDica (com.joysoft.ezdica) β over 100,000 downloads
- Instagram Profile Downloader (com.schedulezero.instapp) β over 100,000 downloads
- Ez Notes (com.meek.tingboard) β over 100,000 downloads
- μμ λ± (com.candlencom.flashlite) β over 1,000 downloads
- κ³μ°κΈ° (com.doubleline.calcul) β over 100 downloads
- Flashlight+ (com.dev.imagevault) β over 100 downloads
After installation and launch, these apps did provide the promised features to users, but they also secretly downloaded additional code related to ad fraud. Infected devices received messages via Googleβs Firebase Cloud Messaging platform, instructing them to open specific web pages in the background and click on links, artificially inflating ad clicks.
βThis could lead to heavy network traffic and battery drain without the userβs knowledge, while generating profit for the cybercriminals behind this malware,β the experts wrote.
All the malicious apps included the com.liveposting library, which launched hidden adware services. Some apps also included an additional library, com.click.cas, focused on automatic click functionality. To hide suspicious behavior, the malicious utilities waited about an hour after installation before activating these libraries.
All of the listed apps have now been removed from Google Play.