This article is more than 1 year old

Did you know that iOS ad clicks cost more than Android? These scammers did

Malware hides cheap Android clicks as high-end Apple traffic

An enterprising malware writer has been masquerading infected Android devices as Apple gear in order to make a few extra bucks.

Researchers with SophosLabs say the Andr/Clickr-ad malware takes advantage of the demand for ads that reach iPhone owners, as advertisers believe Apple fanbois are more willing to splash their cash.

The malware, which Sophos spotted on the Google Play store, infects Android devices and uses the bots to generate fake clicks on websites and earn the malware writers a payout from advertisers. Sophos estimates the malware, hidden within a flashlight app and some games, was downloaded more than two million times.

Because ads that reach Apple devices bring higher payouts for site owners, the Clickr-ad malware takes the additional step of telling the infected Android devices to present themselves as iPhones when making the fraudulent clicks.

Ads in NYC

3ve Offline: Countless Windows PCs using 1.7m IP addresses hacked to 'view' up to 12 billion adverts a day


"What sets Clickr-ad apart from previous examples is its sophisticated attempt to pass off much of the traffic the apps generate as coming from a range of Apple models such as the iPhone 5, 6 and 8," Sophos said of the malware.

"It does this by forging the User-Agent device and app identity fields in the HTTP request. However, it is careful not to overdo the technique by allowing a portion of the traffic to use identities from a wide selection of Android models too."

Sophos said that, while the malware was taken down from the Play store in late November, its command and control servers are still online, and infected devices are still generating the bogus ad clicks. Users will have to manually uninstall the infected apps in order to stop the clickfraud.

"Simply force-closing the app won’t do the trick because it can restart itself after three minutes – a full uninstall is needed," Sophos explained,

"An extra precaution would be to conduct a full factory reset after ensuring all data has been synchronised to Google’s cloud." ®

More about


Send us news

Other stories you might like