When used, ads will pop up on the app, which is seemingly innocuous behavior for a mobile app.įigure 3. One of the apps associated with this campaign, Speed Clean, provides so-called features that can help boost the performance of mobile devices. Note: The nodes highlighted in red represent nodes detected by multiple vendors. A graphic representation of the relationships between the malicious ad configuration servers based on data obtained from VirusTotal Screenshots of the malicious apps previously found on Google Playįigure 2. The cybercriminals behind this campaign can use the affected device to post fake positive reviews in favor of the malicious apps, as well as perform multiple ad fraud techniques by clicking on the ads that pop up.įigure 1. As of writing time, Google Play has already removed the malicious apps from the Play Store.īased on our analysis, the 3,000 malware variants or malicious payloads (detected by Trend Micro as AndroidOS_BoostClicker.HRX) that can be possibly downloaded to an affected device with this campaign pretend to be system applications that do not show app icons on the device launcher or application list. Our telemetry shows that this campaign has been active since 2017. These malicious apps, which are supposed to increase device performance by cleaning, organizing, and deleting files, have been collectively downloaded over 470,000 times.
Expert choice cellular free hoax download#
We recently discovered several malicious optimizer, booster, and utility apps (detected by Trend Micro as AndroidOS_BadBooster.HRX) on Google Play that are capable of accessing remote ad configuration servers that can be used for malicious purposes, perform mobile ad fraud, and download as many as 3,000 malware variants or malicious payloads on affected devices.