A new strain of Android malware is combining click fraud and credential theft, posing a significant threat to users across Southeast Asia, Latin America, and parts of Europe. Disguised as casual games, task-reward utilities, or clones of legitimate applications like Chrome or Facebook, these malicious APK files lure users into sideloading them from sources outside the Google Play Store. This method bypasses Google’s security measures and exploits social engineering tactics, such as offering Free $5 incentives or prompts like Create Your Ad Campaign, to entice downloads.
Once installed, these apps request an array of excessive permissions, including access to the camera, contacts, account management, and the ability to run foreground services—far beyond what is necessary for their purported functions. This overreach is a red flag, as legitimate applications typically request only the permissions essential for their operation.
Trustwave SpiderLabs analysts uncovered this campaign while investigating a Facebook-themed lure that automatically downloaded a payload named `fb20-11-en.apk` from a spoofed domain. Their research indicates that the same infrastructure is used to distribute numerous variant apps, each tailored to impersonate regional banks, telecommunications companies, or betting platforms, yet all compiled from a common code base.
The malware operates on two fronts. In the foreground, it silently loads parked domains and affiliate funnels, simulating user interactions such as taps and scrolls to inflate ad-impression counts. This fraudulent activity is evident in the redirection chains observed during analysis. In the background, the malware presents convincing login forms to siphon usernames, passwords, and occasionally one-time PINs, forwarding this sensitive information to an encrypted command-and-control (C2) backend.
This dual-purpose design allows operators to monetize infected devices immediately through click fraud while simultaneously harvesting data for resale or future account takeovers. The malware employs a modular configuration system, delivering its C2 map as a Base64 string encrypted with AES in Electronic Code Book mode. A hard-coded key—`123456789mangofb`—embedded directly in the APK enables the malware to decode fresh API routes on the fly and rotate infrastructure when domains are blocked.
The infection process begins with a social media message or QR-code poster directing users to a deceptive landing page. Clicking the Start Now button initiates an immediate APK download and suppresses Android’s standard install-source warning by using legitimate-looking sub-domains such as `apk.kodownapp.top`. Upon execution, the app utilizes the open-source `ApkSignatureKillerEx` framework to insert a secondary payload (`origin.apk`) into its own directory without invalidating the original signature, ensuring the operating system treats it as a trustworthy upgrade.
On its first run, the app sends a beacon to `38.54.1.79:9086/#/entry`, retrieves the AES-wrapped configuration, and only then activates ad-click automation or credential harvesting modules. This delayed activation reduces the behavioral indicators that security sandboxes typically rely on for detection, enhancing the malware’s stealth.
