Recently the McAfee Mobile Research Team has identified new Clicker malware that sneaked into Google Play. In total 16 applications that were previously on Google Play have been confirmed to have the malicious payload with an assumed 20 million installations.
The malicious code was found on useful utility applications like Flashlight (Torch), QR readers, Camara, Unit converters, and Task managers. Once the application is opened, it downloads its remote configuration by executing an HTTP request. After the configuration is downloaded, it registers the FCM (Firebase Cloud Messaging) listener to receive push messages.
The malicious code segments are “com.click.cas” library which focuses on the automated clicking functionality and “com.liveposting” library works as an agent and runs hidden adware services. Malicious actions such as retrieving crawl URL information via FCM messages start in the background after a certain period of time and are not visible to the user.