Trojan from Google Play Store Targets Smart Sex Toy Users

Researchers at Doctor Web have discovered suspicious code in the Love Spouse app, which is used to control adult toys and was downloaded from the Google Play Store. The app was found to contain a clicker trojan that secretly opens advertising websites and clicks on pages. This type of malware can be used for hidden ad displays, artificially inflating link clicks, subscribing users to paid services, and even launching DDoS attacks.

The trojan found in Love Spouse has been identified as Android.Click.414.origin and disguised itself as a component for collecting debugging information (the com.android.logcatch library).

In addition to Love Spouse, the same malware was detected in the QRunning app, which tracks physical activity. Both apps were developed by Chinese developers and were quite popular, with a combined installation base of over 1.5 million devices.

Infected Apps and Malware Details

Researchers report that the malicious code was likely introduced recently, in the latest releases of these apps. The developer of Love Spouse has already updated the app, and starting from version 1.8.8, it no longer contains the trojan. However, QRunning has not yet been updated.

According to the company, the discovered malware is a modification of another trojan that came to researchers’ attention in April of last year. At that time, Doctor Web received a report from a user whose antivirus detected a new file in the system area of a V88mini TV box. This turned out to be a loader for the Android.Click.410.origin trojan.

There is no information on exactly how the TV box was infected. However, it was found that the operating system installed on the device was not what it claimed to be. The product listing stated Android 12, and this was shown in the system information, but the Build ID (a unique OS build identifier) matched Android 7. This situation is common for budget TV boxes. Another user reported a similar issue with the X96Q TV box, which also had a different version of Android than advertised.

How the Android.Click.414.origin Trojan Works

The Android.Click.414.origin trojan has a modular structure. One module collects device information, while two others perform hidden page loading, display ads, and click on them. The malware can also detect if the main app is running in a controlled environment and reports this to its command server. Notably, the trojan is selective and does not activate if the device’s interface language is set to Chinese.

If the trojan launches successfully, it sends detailed device information (brand, model, OS version, IP address, region, mobile network operator code, and more) to its command server and activates one or more operational strategies. The trojan secretly loads websites using WebView, can scroll through page content, enter text into forms, and mute audio if the sites it opens play sound or video. To perform these actions, it executes JavaScript code received from the server in the WebView with the target site loaded.

Additionally, the trojan can take screenshots of the displayed site and send them to its server, analyze them pixel by pixel, and based on the analysis, determine where to click within the WebView. In some cases, the trojan uses Bing, Yahoo, and Google to generate ad links based on keywords.

Initially, this malware was detected only in apps available from unofficial Android app stores, but in February 2024, it made its way into the official Google Play Store.