1. Home > Virus prevention >

New Clicker Trojan Family-Haken Trojan

Overview: Clicker Trojan is a widespread malicious program designed to increase website access rates and make money online. They simulate user operations on web pages by clicking links and other interactive elements, realize silently simulating the interaction with advertising websites, and automatically subscribe to paid services. The Trojan is a malicious module that is built into common applications such as dictionaries, online maps, audio players, barcode scanners and other software.
Clicker Trojan report: "AItype" virtual keyboard" risk tips.
Recently, Shadow Lab discovered a new Clicker malware family Haken Trojan on GooglePlay. This application is an application that provides location directions. Service application. Unlike Clicker Trojans and Joker Trojans that use the creation and loading of invisible web views to perform malicious click functions, Haken Trojans implement the function of simulating user clicks by injecting native code into the libraries of Facebook and Google Advertising SDK. . Earn money by clicking ads to increase website traffic.

Figure 1-1 Application information on GooglePlay
Users complain that the application will pop up ads , It is recommended to download carefully.

Figure 1-2 User comments on the application
Technical analysis:
The first one of the program The entrance is the BaseReceiver broadcast receiver. Many actions are registered to make the broadcast easily triggered.

Figure 2-1 Register for BaseReceiver broadcast
The lib library file is loaded in the receiver. The local com/google/android/gms/ is called through the startTicks function in the native layer. The "clm" method in the "internal / JHandler" class.


Figure 2-2 Load library file reflection call local method
In this method Two worker threads and a timer are registered. The wdt thread communicates with the C&C server to obtain the latest configuration information. The w thread is triggered by a timer to check the configuration information and inject the code into the advertising-related Activity class of the advertising SDK (such as Google's AdMob and Facebook).

Figure 2-3 Registering two worker threads
Worker thread one:
Interact with the server in the wdt thread to obtain the latest configuration information . The server address is encoded: http://13.***.34.16.

Figure 2-4 Server interaction
Configuration information issued by the server, including the address used to update the server interaction.


Figure 2-5 Obtaining configuration information from the server
Working thread two:< The w thread starts the activity when the device is networked and the application has been started regularly for 60000ms. By generating a random number between 1 and 4 to match which activity to start, these four activities are used to inject code into Facebook and Google ads to load ads and simulate clicking ads.

Figure 2-6 Injecting Facebook and Google

Figure 2-7 Loading ads
Simulate user clicks and clicks on the advertisements received from the advertisement SDK. These functions are realized through reflection mechanism.

Figure 2-8 Clicking on the advertisement received from the advertisement SDK
Server background:
We interact with the server through the application The address entered the server background of the application, and it was found that the developer of the application used the XAMPP platform to build a personal website and server.

Figure 2-9 Haken Trojan Personal Website
The server backend contains 2 js files. The Js file is used for code injection to realize the simulated click function.

Figure 2-10 Haken Trojan Horse Server Background
Sample information:

Intelligence Expansion:
The "Joker" malware family was first discovered on GooglePlay in September 2019, and the Shadow Lab issued to users on September 28, 2019 through the article on Anti-Spy Tour-Simulation Subscription Advanced Service Risk prediction.
The malware is used to subscribe users to premium services, silently simulating automatic interaction with advertising websites, including simulating clicks and entering authorization codes for premium service subscriptions. In the past few months, Joker has continued to appear in the Google Play store.
We recently discovered four other Joker samples on GooglePlay, which have been downloaded 130,000+ times. The following is sample information.

This article is published by www.internetweblist.com and does not represent the position of www.internetweblist.com/:http://www.internetweblist.com/Virus prevention/20291.html

Contact Us

Online consultation:click here to give a message