2 min

Tags in this article

, ,

Sophos researchers have found 22 apps with over 2 million downloads from the Google Play Store that contain a backdoor. The back door allowed attackers to download files to the phone from their own server. That’s what Ars Technica reports.

These include Sparkle Flashlight. This is a flashlight app with over a million downloads that has been on Play Store since 2016 or 2017. Somewhere around March this year these and two others were updated to add the secret downloader. The other apps were available after June and included the downloader from the start.

The apps were removed from Play Store at the end of November. By then, they were used to click endlessly on fraudulent advertisements. Sophos now calls the family of apps Andr/Clickr-ad. The apps start automatically and keep running after the user forced them to stop. These functions ensured that large amounts of bandwidth were used and batteries were discharged more quickly.

“The app generates fraudulent requests that cost advertising networks significant revenue as a result of the fake clicks,” said the researchers. In addition, the devices are fully managed by the C2 server and it is possible to install malicious modules if the server gives instructions to do so.


The apps worked by reporting to a domain owned by an attacker: mobbt.com. The infected phones downloaded modules for advertising fraud and received specific commands every 80 seconds. The modules ensured that the phones clicked on a large number of links where fraudulent apps were hosted. To prevent users from suspecting that their phones were infected, the ads were displayed in a window that was 0 pixels high and 0 pixels wide.

To give advertisers the idea that the clicks came from a large number of real users, Andr/Clickr-ad manipulated user-agent strings to pretend to be a large number of different apps running on many different phones, including iPhones. Many of the rogue apps were created by developers who also had titles on the iOS App Store. Sophos saw that it seemed as if the clicks came from iPhones 5 to 8 Plus and from 249 different models from 33 manufacturers of Android phones.

This had several purposes. For example, it is possible that the iPhone labels made scammers earn more money, as some advertisers pay more if their ads are seen by iPhone users. In addition, the false labels gave the impression that a much larger number of devices clicked on the advertisements.

Automatically on

Andr/Clickr apps were programmed to run automatically when an infected phone was restarted. If a user closed an app with force close, the app was restarted three minutes later by a built-in sync adapter. The apps checked for new advertising commands every 80 seconds, and checked for new module downloads every 10 minutes.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.