November 1, 2013

MaClickFraud: Counterfeit Clicks and Search Queries

Overview

Lookout has identified MaClickFraud, a Trojan added to legitimate games and other applications that defrauds search engines and ad networks by simulating legitimate traffic. This Trojan can enable a broad range of click fraud activities, from faking search terms in order to boost the ranking of a targeted website, to gaming incentivized download networks or other ad networks in order to make an ad publisher appear to have more traffic than they actually do.

Who Is Likely to Be Affected

The risk of infection is low, with the vast majority of detections occurring in Chinese-speaking regions like China, Taiwan, and Hong Kong. To date, the only site we have observed hosting the malware is AnZhi, a Chinese alternative app store.

All Lookout users are protected from this threat.

Lookout’s Take

This Trojan can engage in a broad range of click fraud activities and its authors likely rent out their botnet to other parties who may use it to fake search activity as a form of black-hat SEO or to impersonate ad clicks on their own properties to boost ad revenue. Since the malware infects otherwise-legitimate apps and does not cause visibly adverse effects to the app user, it likely remains active and undetected for a relatively long period of time, compared to other more intrusive forms of malware.

How It Works

After the app is installed the malware attempts to start by registering itself to be activated when a user is present, the device boots up, or connectivity or wifi changes.

Once started, it will request a target from the command and control server and begin simulating legitimate traffic, setting a cookie on the user’s device in order to impersonate attributes such as an affiliate ID.

We have specifically observed it telling infected devices to search Baidu (China’s most popular search engine) using search terms such as:

  • “深航空姐惊悚新妆容” (English translation: “The new terrifying makeup of the female flight attendants of Shenzhen airline”)

Automated search queries, like the example above, are a black-hat SEO technique that can be used to manipulate pagerank algorithms and drive additional traffic to publishers who have optimized for these terms and who can monetize the increased traffic through ad impressions, affiliate marketing deals, or direct sales.

How To Stay Safe

  • Only install apps from trusted stores.
  • Download a mobile security app like Lookout’s app that protects against malware as a first line of defense.
Leave a comment