In today's digital landscape, mobile app development is an essential aspect of the tech world. With millions of apps available on various platforms, users rely on these tools to stay connected, productive, and entertained. However, a recent discovery has shed light on a malicious trend in mobile app development – fake Android apps designed to spread malware and perform ad fraud.
Our research team uncovered several suspicious optimizer, booster, and utility apps that have been collectively downloaded over 470,000 times. These apps, detected as AndroidOS_BadBooster.HRX by Trend Micro, are capable of accessing remote ad configuration servers for malicious purposes, performing mobile ad fraud, and downloading up to 3,000 malware variants or payloads on affected devices.
Initially designed to increase device performance by cleaning, organizing, and deleting files, these apps have been active since 2017. As of our analysis, Google Play has removed the malicious apps from the Play Store. Our telemetry data shows that this campaign has been ongoing for several years, with a significant spike in malware variants and payloads in recent years.
The malicious apps we detected pretend to be system applications, hiding app icons on device launchers or application lists. Cybercriminals behind this campaign can use affected devices to post fake positive reviews of the malicious apps and perform various ad fraud techniques by clicking on ads that pop up.
Technical Analysis
One of the apps associated with this campaign is Speed Clean, which claims to boost mobile device performance. Upon usage, ads will pop up, seemingly innocuous behavior for a mobile app. However, we observed malicious behavior occurring in the background. The Speed Clean app can launch a transparent activity background to hide malicious content from users.
We also found that the Speed Clean app establishes a connection with remote ad configuration servers and registers new malicious installations. Once registered, Speed Clean starts pushing malicious ad content to users, including trojans and malware variants.
Malicious App Traffic
The malicious apps we detected can download up to 3,000 malware variants or payloads on affected devices. These malware variants can simulate user clicks for ad fraud purposes, install rewarded apps in virtual environments, trick users into enabling accessibility permissions, deactivate Google Play Protect security features, and post fake reviews.
Historical Analysis
Our research team has been tracking the evolution of this campaign since 2017. The table below illustrates the growth in malware variants and payloads over the years:
| Year | No. of Malware Variants/Malicious Downloads and Payloads |
| --- | --- |
| 2017 | 6 |
| 2018 Q1 | 40 |
| 2018 Q2 | 37 |
| 2018 Q3 | 20 |
| 2018 Q4 | 72 |
| 2019 Q1 | 1076 |
| 2019 Q2 | 1090 |
| 2019 Q3 | 399 |
| 2019 Q4 | 23 |
| 2020 Q1 | 33 |
As mobile app development continues to evolve, it's essential for developers and users alike to remain vigilant against malicious apps. By understanding the tactics used by cybercriminals, we can work together to create a safer digital landscape.
Target Keyword: Mobile app development