By: Viral Gandhi

More Porn Clicker Malware Masquerading As Dubsmash On Google Play Store

Click Fraud

Introduction

Dubsmash is a mobile app to create short "selfie" videos dubbed with famous sounds. It is extremely popular and is currently ranked #10 under Top free Android apps. The users of this app include many well known celebrities who eventually post the dubbed videos on popular social networking platforms like Facebook and Twitter.

The popularity of this app has caught the attention of the malware authors too, which is evident with a string of Trojan Porn Clicker apps disguised as Dubsmash posted on the Google Play Store in the past month (covered in ESET and AVAST blogs). The malicious apps mentioned in those blogs were quickly taken down by Google. However, we continue to see newer variants of the same malware family being uploaded to the Google Play store with the latest one posing as Dubsmash V3.
 
Google Play - Trojan Porn Clicker app
Although the malicious app poses as Dubsmash, the icon that the user sees upon installation imitates Settings, Memory Game, or a Flappy Bird app. The newest iteration of this malicious app has already been downloaded nearly 5,000 times.
 
Fake App Icon
The malware automatically removes the icon once the user quits the application for the first time, however it continues to run in the background as seen below.
 
Porn Clicker Process

Porn Clicker analysis

The purpose of this malware is to generate revenue for the malware author by generating clicks on the adult porn websites. While this may be good news that the user's credentials or sensitive information are not being stolen, it can still lead to financial loss for the end users through increased mobile data usage.

The Porn Clicker variants described in the previous blogs involved hardcoded, encrypted porn URLs in the malicious APK, whereas we are now seeing the newer variant dynamically retrieving the porn URLs from a remote server.
 
Clicking activity
The malicious app in our case contained two hardcoded URLs shown in the screenshot below:
Porn Clicker remote servers
Preconfigured URLs:
  • memr[.]oxti.org/g/getasite/  - The malicious app will get a new porn URL to visit from this location.
  • memr[.]oxti.org/z/z2/ - This location currently serves JavaScript code that will result in a random click on the porn site that gets visited by the app.
Screenshots below show the porn URLs that are dynamically retrieved  by the malicious app from the first location.
Porn URL1
 
Porn URL2
 
Porn URL3
JavaScript leveraged by the malicious app from a remote location to perform click fraud is shown in the screenshot below.
 
JavaScript - Random Click
It appears that the malware author keeps uploading and removing the same app on the Google Play store under different accounts. During the course of this write up, we saw the following two variations:
 
  • Dubsmash V3 [Package name: com.memr.gamess] - has been removed
  • Dubsmash 2    [Package name: com.jet.dubsh] - still active
 

Conclusion

The first variant of the Porn Clicker app masquerading as Dubsmash was reported in April, 2015 and it is concerning to see newer variants of the same malware slipping through Google's app vetting process even today.  The malware authors are still targeting Dubsmash as a disguise to trick end users into downloading the malicious app.

It is highly recommended for users to check the reviews & ratings of the apps, even when downloading them from official Google Play store. If you are infected with such an app, you can delete it by going to Settings >Apps > (AppName).

Write-up by: Viral Gandhi & Deepen Desai
 

Learn more about Zscaler.