McAfee has found that the clicker malware that was designed to facilitate ad fraud is present in 16 mobile apps available in the Google Play Store. Google has since removed the apps, however, they racked up an estimated 20 million downloads. The malware was identified in apps such as flashlights, QR readers, cameras, unit converters, and task managers. Once the application is opened, the malware downloads its remote configuration.
The malware also registers the FCM listener to receive push messages. The ad fraud features are hiding behind the legitimate functions with remote configurations and FCM techniques. The malware forces infect devices to visit and browse websites in the background without the user’s knowledge. The malware flies under the radar by only performing actions when the smartphone is not in use. McAfee also stated that the malware will not work within an hour of initial installation.