More than 50 apps on Google Play include malware that secretly accesses porn sites, according to a security vendor.
According to ESET, at least 51 apps that have been available on Google Play included a "Porn Clicker Trojan" that automatically accesses porn pages in a click fraud scheme. Click fraud generates revenue for the perpetrators typically via triggering pay-per-click advertising without the apparent user's involvement, but can also include referral programs intended to reward legitimate site operators for sending traffic to another site.
The apps that install Porn Clicker are generally fake copies of popular apps such as Dubsmash and Clash of Clans 2, but also include game cheats, video downloaders and download managers, ESET officials warned.
Amazingly, the fake Dubsmash app has returned to Google Play store at least 24 times, according to ESET malware researcher Lukáš Štefanko.
Furthermore, "A telling characteristic they all share is mainly the fact that they have been uploaded by the same developer, using the same Android/Clicker, with a capability to avoid Google malware filtering each time," he said.
The fakes have all been removed from Google Play.
While the miscreants have been getting their money from destination sites, there are at least two aspects of this scheme that affect users. Firstly, the unauthorised traffic cab eat into their mobile data, leaving less for genuine use and in some cases racking up excess data charges.
Secondly, it's not a good look if you connect to a Wi-Fi network at a client's premises, an educational institution or a public library and its web filter or similar device reports that you keep trying to access porn sites.
ESET makes the usual recommendations: keep your security software up to date, and look carefully at user reviews before downloading to help ensure that you get the app you wanted, not a potentially harmful fake. Hint: the more detailed and specific the reviews are, the more likely they are to be genuine. Bogus reviews tend to be brief or generic, though that's not always the case. And sometimes a lot of genuine users will post positive reviews before the dark side of the app comes to light.
Other relevant tips include:
Stick to the 'big name' app stores (eg, Google Play and the stores operated by phone manufacturers or carriers). This is clearly not foolproof, but it does improve your chance of staying safe.
Look for familiar developers. All businesses have to start somewhere, but an app from Mircosoft would be suspicious. Similarly, the Angry Birds franchise comes from Rovio,
Check the number of installs. For example, the real Dubsmash has more than 50 million installs, but one of the fakes that ESET detected had less than 50,000.
Look for the Top Developer tag. Google only awards this to the best developers on Google Play, and it seems unlikely anyone would burn that reputation by distributing malware.
Look for the Editor's Choice tag. Sure, this will only be granted to a small proportion of apps, but an app that's earned it is extremely unlikely to be dodgy.
Keep Android updated. This isn't always possible, but improved security features in newer versions can help protect you.