April 29, 2016

Google Play is the most reliable app store for Android devices. Yet, from time to time, different malicious programs can be discovered in the store. Doctor Web security researchers have recently found 190 applications infected with Android.Click.95 that threatened users into installing applications they advertised by showing fake warning and error messages.

All applications containing Android.Click.95 have a quite simple architecture. Typically, these are entertainment applications such as advice apps, horoscopes, dream-books, jokes, and other information for all occasions which the Internet is flooded with. Doctor Web security researchers discovered 190 of such-like applications on Google Play distributed by the following developers: allnidiv, malnu3a, mulache, Lohari, Kisjhka, and PolkaPola. Moreover, at least 140,000 users have already installed these malicious applications. We have informed Google about this incident but the majority of the programs are still available for downloading.

When Android.Click.95 is on the device, it starts to perform its malicious activity not right after the installation or running of a program but in 6 hours trying to hide a real source of infection. After a 6-hour waiting, Android.Click.95 checks whether the infected device has an application specified in the Trojan’s configuration. If the application is missing, Android.Click.95 opens a fraudulent website which prompts the user to choose another browser because the current one is allegedly not safe to use. If the necessary application is installed on the device, the Trojan shows another fake warning, for example, about battery malfunction.

To solve a sudden problem that that the user had no clue about, the victim, of course, has to install a fraudulent application. And to ensure downloading the offered application, Android.Click.95 displays the bogus webpage every 2 minutes making it almost impossible to use the device.

If the user decides to download the malicious application, they are redirected to the Google Play store and right to the relevant section in which this app is located. For each download, fraudsters receive interest under the terms of affiliate advertising agreements. It explains why Android.Click.95 is so much wide spread—the cybercriminals try to make as much profit as they can from these downloads.

Doctor Web strongly advises Android users to be very careful and not to install dubious applications even if these applications are distributed via Google Play. Dr.Web for Android successfully detects and removes Android.Click.95, and, therefore, this malicious program poses no threat to our users.