News

Android, 16 malicious Adware apps have been downloaded more than 20 million times

There is no peace for less savvy Android users, who are increasingly risking downloading fake apps or, worse yet, malware-enriched content for the most part without even realizing it. Among the most recent events of this kind are McAfee security researchers Discover a collection of 16 malicious clicking apps who managed to infiltrate the Android Play Store. Clicker apps are a special class of adware that loads ads in invisible frames or in the background, and is involved in triggering automated clicks to generate revenue for its operators.

The effects of too much background work on devices are usually associated with Low performance, smartphone or tablet overheating, increased battery usage and excessive mobile data usageor WiFi. But there is good news! This is that TAll 16 apps removed from Android Store After McAfee informed them. However, the time frame from publication to removal still resulted in over 20 million installs. The most dangerous app was called DxClean and it was installed five million times before it was removed. Worst and most successful is that it has a relatively positive overall rating of 4.1 out of 5 stars.


DxClean, as the name suggests, presented itself as a system cleaner and optimizer, promising just the opposite of what it did, namely discovering the causes of system slowdowns and stopping ad hassles. Meanwhile in the background he was doing the exact opposite.

But how do clicker apps like this work? Once started, they can download their configuration from a remote location via an HTTP request and register a Firebase Cloud Messaging (FCM) listener to receive push messages.

These messages contain instructions for clicks, such as which functions to call and which parameters to use. As McAfee explains well in the report. Primarily, it involves visiting websites delivered by an FCM message and then browsing them in the background to mimic user behavior.

The auto click function is handled by the “click.cas” component, while the proxy that handles adware services is “com.liveposting”. McAfee analysts say the Direct Deployment SDK can also work on its own, perhaps to only generate ad impressions, but recent versions of the apps feature both libraries. Below is a list of the defeated apps, as per McAfee Communication.


The victim never interacts with open websites and is unlikely to be aware of the processes that occur silently but make a profit for the remote operators. To prevent the user from noticing it, the malicious process usually does not start in the first hour after installing the application, and delays its launch when the user is actively using the device.

It’s really hard to notice how these malicious apps workHowever, the most common checks to avoid such activities are related to battery consumption and internet usage. In case the system is not used for a long time, there is no justification for any greater consumption of battery and/or mobile data.

Related Articles

Leave a Reply

Your email address will not be published.

Back to top button