Hundreds of Android apps available for download from the official Google Play marketplace may be infected with a new form "auto-clicking adware", experts have warned.
That's according to Japanese security firm Trend Micro, which this week (16 August) detailed how its researchers recently found more than 300 compromised applications, one of which – called "Aladdin's Adventure's World" – had been downloaded five million times.
The adware has been dubbed "GhostClicker" due to the methods it uses to general illicit profits.
The malicious software was found in games, file managers, barcode scanners, multimedia recorders, device chargers and GPS/navigation-related apps.
At least 101 of 340 infected apps found on the Play Store were still available as of 7 August, Trend Micro said, adding the rest had been removed by Google.
Detections had a global spread, allegedly spanning Brazil, Japan, Taiwan, Russia, Italy, and the US.
Analysis found that GhostClicker hides in Google Mobile Services (GMS), a collection of the most popular apps and application program interfaces (APIs), and also Facebook's advertising kit.
It reportedly embeds into the two services disguised as a legitimate app component called 'logs'.
"Some of the GhostClicker-embedded apps we analysed [...] requested device administration permission when first run, but they do not declare the security policies used in metadata, such as wiping data and resetting password," said experts Echo Duan and Roland Sun.
"This can be a way to deter users from removing the app, taking advantage of the lengthy [...] process of uninstalling apps. It's certainly not a user-friendly process: uninstalling an app with device administration requires that it be disabled first before an app can be removed."
Trend Micro said the Android malware inserts itself into Admob, a Google owned ad platform, to find advertisements and then simulate clicks. This, in turn, makes money.
But it doesn't stop there, GhostClicker can also "generate fake traffic" to further boost clicks.
"It will pop up in other apps' download links in Google Store or open a YouTube video link in the device's browser via [the hacker's] command and control (C&C) server," the experts said. "Upon activation of device administration, GhostClicker will execute auto-clicks every minute."
In order to stay protected against malicious software like GhostClicker, users are advised to ensure their devices have the latest security updates installed.