Cybercriminals Merge Android Malware with Click Fraud Apps to Harvest Credentials

Researchers uncovered an active Android malware cluster that ingeniously combines brand impersonation with traffic monetization tactics, targeting users across multiple regions.

These malicious Android Package Kit (APK) files exploit social engineering and off-market distribution channels to evade traditional security measures, preying on user trust to exfiltrate sensitive data such as login credentials.

The campaign deploys APKs disguised as legitimate services, promotional tools, or popular brands, luring victims via phishing messages or deceptive web content into manual installations.

Once installed, these apps abuse Android’s permissive permission model, granting access to sensitive device resources, enabling background persistence, and facilitating network traffic hijacking for ad fraud.

This includes simulating user interactions to inflate ad impressions, redirect traffic through affiliate funnels, or generate fraudulent click-through metrics, all while harvesting data like contacts, call logs, and device metadata.

Diverse APK Variants

The analyzed APK samples exhibit varying sophistication but share ties to the same threat cluster, featuring modular payloads that adapt runtime behavior based on locale, language, or virtualized environments.

Categories include ad fraud apps focused on generating fake impressions without real functionality; credential stealers mimicking login pages of financial or social platforms to silently exfiltrate credentials.

Background data harvesters posing as utilities or games to collect sensitive information with minimal user interaction; task reward apps promising incentives for ad viewing or installations but embedding excessive permissions and hidden data collection; and gambling apps exploiting legal gray areas to access personal and financial data.

Common tactics involve traffic redirection through monetized domains, sandbox detection via emulator checks like Genymotion heuristics, and encrypted command-and-control (C2) communications using AES-ECB with hardcoded keys.

A notable variant, a spoofed Facebook APK (SHA-256: 6e47540ee83e8f0f886d24f5a948e47bdbe8cfc69b05c20e1ff2328f53d2d160), is distributed via phishing landing pages like fb20-11-en[.]9jtfb7jt[.]vip, requesting broad permissions including ACCESS_FINE_LOCATION and spoofed ones mimicking legitimate components.

Post-installation, it fetches Base64-encoded, AES-encrypted configuration files from domains such as fb.kodownapp[.]top, revealing modular C2 endpoints and fallback channels disguised as crash reporting APIs for telemetry exfiltration, including system locale, platform identifiers, and user metadata.

Infrastructure Insights

Further dissection revealed the malware’s use of ApkSignatureKillerEx to bypass Android signature verification, injecting secondary payloads like origin.apk for stealthy execution.

Adaptive behaviors include altering operations in detected sandboxes, delaying payloads, and selective activation based on device value, evading automated analysis.

Infrastructure analysis uncovered segmented subdomains (e.g., apk.kodownapp[.]top, tk.kodownapp[.]top) supporting campaigns impersonating brands like TikTok, with embedded references to cryptocurrency wallets and credential functions, though not always active.

Attribution points to possible Chinese-speaking operators, evidenced by Simplified Chinese in code and panels, hosting on Alibaba Cloud, and alignment with underground economies trading stolen mobile data, affiliate fraud kits, and device fingerprinting APIs.

According to Trustwave Report, this ecosystem enables scalable, low-friction attacks via malware-as-a-service models.

The campaign’s blend of ad fraud and credential theft underscores the dual intent of monetization and intelligence gathering for future exploits.

To counter such threats, users should restrict installations to trusted sources like Google Play, scrutinize unsolicited APKs from messaging or promotions, and enhance awareness of permission abuse.

Organizations must prioritize mobile app supply chain visibility and user education to bolster defenses against these adaptive, persuasive malware operations.

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now