Android Wallpaper Apps Found Running Ad Fraud Scheme

By Tony Bao

We detected 15 wallpaper apps in Google Play Store committing click ad fraud. The said apps were collectively downloaded from Play Store more than 222,200 times at the time of writing, and our telemetry showed Italy, Taiwan, the United States, Germany and Indonesia with the most infections recorded. Google has confirmed removal of all the identified apps.

Figure 1. The apps were briefly available for download in Google Play Store.


The apps were designed with enticing icons that promise beautiful mobile wallpapers. The apps themselves also have high user reviews and good comments, but we highly suspect that these reviews are fake and meant to project credibility to users.

Figure 2. Wild Cats HD Wallpaper app has been downloaded more than 10,000 times.
Review of the app was rated 4.8 on Google Play Store.

Once downloaded, the apps decode the command and control (C&C) server address for the configuration.

Figure 3. C&C server address decoded and run.

The entire process is muted to hide the activity from the user. An HTTP GET request is communicated to the C&C for a JSON-formatted list once the app is launched.


Figure 4. The entire process is muted.

Figure 5. C&C server response.

When the feed runs, each initialized feed and object includes a fallback_URL, type, UA, URL, referer, x_requested_with, and keywords.

Figure 6. Initialized feed list.

The apps then get the advertising ID from Google Play Services, and replace some parameters in the URL, ANDROID_ID with the advertising ID, replace BUNDLE_ID with the fraudulent app’s package name, replace IP with the infected device’s current IP, and more. After replacement, the URL is loaded according to the type.

Figure 7. Constructing a fraudulent fallback_URL.

While loading the URL, the browser background will be set to transparent.

Figure 8. Background set to transparent.

After the URL loads, the apps begin to simulate clicks on the ad page.

Figure 9. Simulating fake ad clicks.

The cybercriminals profit through the parameters’ value replacement. IDs provided by Google for Android developers such as the advertising ID, advertiser ID and device ID are anonymous identifiers specific to users to monetize their apps. The app replaces ANDROID_ID, BUNDLE_ID, IP, USER_AGENT with the ad ID, the app’s package name, current IP, and the user agent of the current browser. These are all in the fallback_URL from the configuration file, creating a fraudulent fallback_URL for fake clicks. For example, the original would be:{ANDROID_ID}&bundle={BUNDLE_ID}&ip={IP}&ua={USER_AGENT}&cb=5c1236f316e45

This will be replaced with: (Linux; Android 6.0.1; MuMu Build/V417IR; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.100 Mobile Safari/537.36&cb=5c1236f316e45

Trend Micro Solutions

Users have to be vigilant and be cautious of the apps they download, as cybercriminals will continue manipulating app features to profit, steal information and attack. Mobile devices have to be protected with a comprehensive security structure and program against mobile malware.

Trend Micro Mobile Security detects this threat, and Trend Micro Mobile Security Personal Edition defends devices from all related threats. Trend Micro™ Mobile Security for Android™ (also available on Google Play) blocks malicious apps , and end users can also benefit from its multilayered security capabilities that secure the device’s data and privacy, and safeguard them from ransomware, fraudulent websites, and identity theft.

For organizations, Trend Micro™ Mobile Security for Enterprise provides device, compliance and application management, data protection, and configuration provisioning, as well as protects devices from attacks that leverage vulnerabilities, preventing unauthorized access to apps, as well as detecting and blocking malware and fraudulent websites. Trend Micro’s Mobile App Reputation Service (MARS) covers Android and iOS threats using leading sandbox and machine learning technologies to protect users against malware, zero-day and known exploits, privacy leaks, and application vulnerability.


Indicators of Compromise

Package Name


Installs (as of 12/14/2018)

com.amz.wildcats 0995b52a9a12cf31ae19c360d56ca1a20d784eecc9b018514dbf01446f4ad36e 10,000+
com.amz.underwaterworld 1f6907b2e8f7fa7597a28b2e7133325fcddb3e4f9e1c3cbad82afaa82bf3c57e 5,000+
com.appmakerz.dclock b098d0ee0766558dff37761358d250a7b648c1de1556bd0345564b74a6db848c 50,000+
com.appmakerz.shark fbcc2c9ddc69c0f272f80051987b5ed911cd112ef6e26709b54e67cae7ce1fb6 50,000+
com.appmakerz.xphone aec79ed8cb779474a058e89bd4f1a55a534d439af5d48751867300a885d50182 10,000+
com.appmakerz.dolphins 48d7ebf7fd65cb317e52c5d331d193bfaf3f48590b8f598292be88f26dc8464e 10,000+
com.appmakerz.ocean 034aa9f3ceeb74acf38c0f4036bb0e89339759ed73de009207c7036eb25e14a5 10,000+
com.appmakerz.waterdrop 8d643500319bd9e4eb2007ac43613bf53943b65dff25ee933d5450ecc11402b8 10,000+
com.appmakerz.koi 8f16246b9afc1dfb89ca8b60f1b097584b94034e0de6496bbc28e58d667c4af5 10,000+
com.appmakerz.crackedscreen a2ef230d3b091c0571bb0c96b456c17f94a176a2861281b6ff0b56e789e17b64 50,000+
com.amz.skull ee6ef277ea9d8478965452e10c0c01cd7a4d13c1cd23e9ee8d2668a715f7a6b5 5,000+
com.mobixa.curvededges fa8f9d3415bc38b679204f2c8fd983e12298e014007f2a18f7501e3c1d3d1910 100+
com.mobixa.starrysky bf016cf1142b17c5a088a80feb88fb10ab9be05c20133931b7190e352a1f1b08 100+
com.mobixa.sunset bc8237bf6a9b25e71bb55c0841c1ee6ef443835bf172666a680f74badadf34f8 1,000+ d34598835b28a6ad070dd0986b0bbc336c8ba7cac9a9a22d6b3c6a99049242a6 1,000+


C&C Server



The post Android Wallpaper Apps Found Running Ad Fraud Scheme appeared first on .

Article Link: