"Click to list users"-mobile Trojan Google Play malicious click list, googleplay

"Click to list users"-mobile Trojan Google Play malicious click list, googleplay

At present, with the explosive growth of the number of applications in the application market, App marketing and promotion become more and more difficult. Click farming is generally considered to be the best shortcut for application promotion, it can greatly increase the volume of downloads and users in a short period of time, thus improving the application exposure. The increase in exposure leads to a surge in downloads, and the surge in downloads ensures the top ranking, which leads to a snowball increase. The domestic App scalping market is gradually growing, and is derived from a complete gray industry chain: application developers and scalping service providers have formed a close structure.
Recently, Baidu security lab found a mobile zombie Trojan dedicated to malicious click farming. In the embedded and normal applications of this trojan, after a user installs such applications, the user's device becomes a zombie of "Click farming ." The following figure shows how to use a mobile Trojan:
 

 
1. Click "Click guest" to request the control server to obtain the Google account and password logon information. The control server returns the Google login account name and password.
2. After obtaining the logon Google account and password, click "Click guest" and use the obtained account information to obtain logon authorization by simulating the Google Play protocol.
3. After obtaining the Google logon authorization, the "Click farming guest" request to control the server to obtain the click farming command.
4. Click "pop-ups" to download the specified application through Google Play Based on the command to click the list.
 
Users infected with "Click farming" Mobile Trojan will be remotely controlled by "Click farming" to launch malicious click farming, which will consume a large amount of data traffic. From the control server information, this mobile phone Trojan is developed by Chinese developers. Due to domestic network restrictions, this trojan is not targeted at Chinese users.

 

 

1. Analysis of Control Server functions:
 
Access command control server, you can directly go to the server management interface. The server provides the following functions:
 

 

 
1. Go to the "add, delete, modify, and query user data" page to view, modify, and delete the existing Google account information on the server. Currently, the server has tens of thousands of Google accounts and passwords for malicious click farming.
 

 
2. on the "add, delete, modify, and Query Task data" page, you can create a click farming task.
 

 
3. Go to the "Import account" page. You can upload multiple Google accounts and passwords by country.

 

 

 
2. Analysis of mobile phone Trojans
 
1. malicious code structure

 

 

2. Malicious Code Analysis
 
Click the icon to enter the program, and call Task. init to immediately start the relevant listing code:

 

 
Task. inti start TaskService

 

 
TaskService calls DMainTask. doWork to call the specific fl Logic

 

 
DMainTask. doWork completes the tasks of obtaining the entire Google account, logging on to Google Play, getting the command for refreshing the list, and downloading specific Google Play applications according to the command. The fl list logic is as follows:

 

 
The download request process for a normal Google Play application is described as follows:
Https://github.com/egirault/googleplay-api/issues/30)

 

The Code protocol is used to simulate the above download process to achieve malicious Google Play rankings.