A new malicious clicker has emerged onto third-party app stores. Chinese in origin, the malicious app uses heavy obfuscation and poses as a battery optimizer app. We classify is as Android/Trojan.Clicker.hyj.
Hide what’s inside
To obfuscate its code, Clicker.hyj uses an APK inside another APK that hooks into the malicious code — allow me to explain. Let’s call the original APK that gets installed from a third-party app store onto the Android device the shell APK. After installation, the shell APK hooks into another APK, which is held in the shell APK’s data folder — let’s call this the executing APK. The executing APK holds all the malicious code while the shell APK contains simple code that runs some libraries which does the hooking of the executing APK. Looking at the shell APK code, there isn’t much to it. Because of its simplicity, it could easily be overlooked by malware researchers and/or scanners.
It’s important to note that the executing APK cannot be installed on an Android device alone — it must be run via the shell APK.
The meaty badness
- findbutton20161226.js – Find button on webpage
- getcaptcha4numberl.js -Get Captcha on webpage
- processurl.js – Process URL
- setcaptcha4numberl.js – Set Captcha on webpage
- simulationClickYes.js – Click “Yes” on button in webpage
Shortcut to maliciousness
Another trait of Clicker.hyj is creating a shortcut that opens up the default Web browser to a URL that is no longer active — who knows what malicious content it once contained!
All about the $$$ Crooks know there is real money in mobile malware — consequently, we will continue to see the rise of malware like Clicker.hyj.”>
In conclusion, be wary of installing third-party apps from untrusted app stores. It is also a good idea to always have a scanner installed on your phone like Malwarebytes anti-malware mobile — which, for the record, is FREE.
Stay safe out there!