McAfee Labs found an ad-fraud library embedded in 43 Android apps that remotely configures invisible ads to be fetched and displayed while the device screen is off, using Firebase services and specific domains. The threat is detected as Android/Clicker and leverages delayed activation, background execution permissions, and remote Firebase Storage/Messaging to avoid detection. #AndroidClicker #Firebase
Keypoints
- Researchers identified 43 Android apps (β2.5M installs combined) containing an ad-fraud library that displays ads while the screen is off.
- The library delays starting fraudulent activity for a latent period (typically weeks) to evade detection and analysis.
- Remote configuration and command-and-control are implemented via Firebase Storage and Firebase Messaging, allowing dynamic changes to behavior and ad URLs.
- The malware requests permissions to run in the background, exclude power-saving, and βdraw over other apps,β enabling hidden ad display and overlay actions.
- When activated, the library registers device info with attacker domains (e.g., mppado.oooocooo.com) and fetches ad URLs from Firebase to load ads during screen-off periods, consuming battery and data.
- Network traffic and ad fetches are observable during screen-off; ads often auto-close quickly to remain unnoticed by users.
- McAfee classifies the threat as Android/Clicker; affected apps were reported to Google and many removed or updated.
MITRE Techniques
- [T1071] Command and Control β Remote configuration and command-and-control are implemented via Firebase Storage and Firebase Messaging, allowing dynamic changes to behavior and ad URLs. ‘Remote configuration and command-and-control are implemented via Firebase Storage and Firebase Messaging, allowing dynamic changes to behavior and ad URLs.’
- [T1105] Ingress Tool Transfer β fetches ad URLs from Firebase to load ads during screen-off periods. ‘fetches ad URLs from Firebase to load ads during screen-off periods.’
- [T1496] Resource Hijacking β When activated, the library registers device info with attacker domains (e.g., mppado.oooocooo.com) and fetches ad URLs from Firebase to load ads during screen-off periods, consuming battery and data. ‘When activated, the library registers device info with attacker domains (e.g., mppado.oooocooo.com) and fetches ad URLs from Firebase to load ads during screen-off periods, consuming battery and data.’
Indicators of Compromise
- [Domain] C2/registration and ad delivery β mppado.oooocooo.com, best.7080music.com, and many other ocooooo/mgooogl variants.
- [Android package] Infected app package names β com.dmb.media, jowonsoft.android.calendar, and ~40 other package names listed in the report.
- [File hash] APK SHA256 samples tied to apps β f3e5aebdbd5cd94606211b04684730656e0eeb1d08f4457062e25e7f05d1c2d1, 6aaaa6f579f6a1904dcf38315607d6a5a2ca15cc78920743cf85cc4b0b892050, and many more hashes.