In fact, fullscreen Ads are displayed each time: One of the two applications also contained really suspicious code to auto-click Ads issued by Facebook.
The updated application information was the following (right before being removed by Google): Application Name: Phone Cleaner Dev Package Name: read.physical.trian Play Store Link: (removed from Play) play.google.com/store/apps/details?
Given the fact that the only contains a file, it’s clear that it is supposed to be loaded and executed at runtime by an application, so we classified the file as a plugin.
At first sight, the two applications appear to be uploaded by different developers, with different email addresses and with different privacy links.
A proper investigation of the read.physical.trian package revealed code designed to trick the Facebook Ads SDK and generate fake clicks on the advertisements spawned by the application.
Internally, the code name has been “Cogito”, so this research blog will use that name throughout.
On a pool of approximately 1800 samples collected from the Play Store1, Cogito detected two of them as malicious in a matter of seconds.
We recently announced an extension of the framework that detects previously unknown mobile malware.
This extension is known as “z9 for Mobile Malware”, and was officially announced in September 2017.
In fact, searching Google with some specific queries gave us good results: As expected, both applications analysed on previous researches have the privacy link pointing to the same CDN.
The connection is now stronger and with little effort, we managed to find a lot more applications with the privacy link pointing to Cloud Front.
The research2 shows really similar code to what we found (same use of IMSI, same C&C domain and similar auto-clicking code) and it’s clear the applications are related to each other.
Kaspersky Lab researchers said that the code is related to the Ztorg campaign, and during the months, they noticed that several times Ztorg droppers have been available on the Play Store.
This post outlines the process our team took to validate Cogito’s behavioral detection of the two malicious apps.