Sixteen mobile malware apps have been detected posing as legitimate utilities while automatically crawling adverts in the background.

The McAfee Mobile Research Team recently discovered new Clicker malware that had infiltrated Google Play. In total, 16 previously available Google Play applications have been proven to contain the malicious payload, with an estimated 20 million installations.

McAfee security researchers alerted Google, and all discovered applications have been removed from Google Play. Google Play Protect, which prohibits harmful applications on Android, also protects users. In addition, McAfee Mobile Security solutions identify and protect you from malware such as Android/Clicker. Visit McAfee Mobile Security for more information and to get completely protected.

How does it work this New Malicious Clicker?

The malicious code was discovered in applications such as Flashlight (Torch), QR scanners, Camara, Unit converters, and Task managers:

When the program is launched, it sends an HTTP request to retrieve its remote settings. After downloading the settings, it registers the FCM (Firebase Cloud Messaging) listener to receive push messages. At first inspection, it appears to be well-crafted Android software. However, it conceals ad fraud characteristics behind remote configuration and FCM approaches.

The FCM message contains various information, including the function to call and its arguments. The image below depicts some of the FCM message histories.

The latent function is activated when an FCM message is received and fulfills certain criteria. It mainly involves viewing websites sent by FCM messages and surfing them sequentially in the background while simulating user behaviour. This may result in high network traffic and power consumption without user knowledge, while the threat actor behind this malware makes a profit. The image below shows an example of network traffic created to obtain the information needed to generate bogus clicks and pages visited without the user’s consent or input.

Depending on the application version, some have both libraries operating together, while others have the “com.liveposting” library. The malware uses installation time, random delay, and user presence to prevent users from recognizing these malicious behaviours. The malicious activity will not begin if the installation time is within an hour and during the time the user uses the device, most likely to prevent detection immediately.


This New Malicious Clicker malware seeks illegal advertising money and has the potential to destabilize the mobile advertising ecosystem. Malicious action is skillfully concealed to avoid discovery. Malicious operations, such as receiving crawl URL information via FCM messages, begin in the background and are not apparent to the user.

Sharing is Caring!

You are welcome to put this blog article on your website, provided you also append an active link to our website “Source: https://resources.rhyno.io”

For media enquiries, contact us at [email protected].


Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.


About Rhyno Cybersecurity Services

Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.

Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.

This website uses cookies to improve your online experience. By continuing, we will assume that you are agreeing to our use of cookies. For more information, visit our Cookie Policy.

Privacy Preference Center