Sophos security researchers have found 22 backdoor apps from the official Google Play Store, with a total of more than 2 million apps downloaded. The most popular is the flashlight app Sparkle Flashlight, which has more than one million downloads. The application contains a backdoor that can silently download files from an attacker-controlled server.
These applications are mainly used for advertising fraud. Researchers named them Andr/Clickr-ad to generate revenue through deceptive ad clicks. The problem it brings to users is the decline in battery life and the increase in data traffic. The back door can potentially be used to download any malicious program.
“The apps we detect as Andr/Clickr-AD had been engineered with maximum flexibility and extensibility in mind. Everything is configurable by the apps’ C2 server. Let’s have a look at how the malware operates.
When the user first launches the app, it sends an HTTP GET request to the c2 server. The server returns a JSON-formatted list of commands it calls an “sdk.” Each command includes the URL to download an “sdk” module, a class and method name to call, and parameters the module should pass to each method.”
Google has removed these malicious apps from the Play Store.