Google Play Store

We’ve always been serious with security so we watch out for reports and special announcements of updates. It is important for any device, application, program, or platform to receive regular updates because of fixes, new features, and enhancements. There may be times they’re not as safe and secure but the Android team is trying to make sure bug fixes are ready. There are times some apps and updates are pulled out as a preventive measure so viruses don’t spread further.

Such is the case with about two dozen mobile apps that have been removed from the Google Play Store. Together, these apps have reached some two million downloads.

That is a big number and it’s unfortunate that they contain a backdoor that allows them to download files in the background without their knowledge from the server. The latter is controlled by a hacker/attacker, letting them do anything they wish to do.

A total of 22 apps have been deleted from Google Play. One notable app is Sparkle Flashlight which has been downloaded over a million times already. The app was out since 2016 so it’s been two years that the flashlight app is exposing mobile users all over the world.

Sophos, an antivirus provider, recently shared a report about the problem. It’s described as a secret downloader. Sparkle Flashlight is just one but two other apps were updated to include the downloader without the knowledge of users. The 19 other apps were only added after the month of June this year.

The tech giant already removed the said apps last month. They were discovered to be “Andr/Clickr-ad”–clickind on fake ads endlessly.

Here is Sopho’s report:

Andr/Clickr-ad is a well-organized, persistent malware that has the potential to cause serious harm to end users, as well as the entire Android ecosystem. These apps generate fraudulent requests that cost ad networks significant revenue as a result of the fake clicks.

From the user’s perspective, these apps drain their phone’s battery and may cause data overages as the apps are constantly running and communicating with servers in the background. Furthermore, the devices are fully controlled by the C2 server and can potentially install any malicious modules upon the instructions of the server.

What happens usually a false impressions of clicks that come from “authentic” users from different devices. Their user-agent strings have been manipulated to behave in such a way.

VIA: ArsTechnica