Threat Actors Combine Android Malware With Click Fraud Apps to Steal Login Credentials

A fresh wave of malicious Android Package Kit (APK) files is weaving together two of cybercrime’s most reliable revenue streams—click-fraud advertising and credential theft—into a single, adaptable threat that has begun circulating across Southeast Asia, Latin America, and parts of Europe.

Disguised as casual games, task-reward utilities, or even clones of legitimate Chrome or Facebook apps, the malware lures users away from Google Play to sideload rogue installers, a tactic that neatly sidesteps Google’s built-in vetting controls and capitalizes on social-engineering hooks such as “Get Free $5” or “Create Your Ad Campaign”.

Once the APK lands on a victim’s handset, the app immediately requests an excessive bouquet of permissions—camera, contacts, account management, and the ability to run foreground services—well beyond what any lightweight game or coupon app should need.

Trustwave SpiderLabs analysts identified the campaign while tracing a Facebook-ads themed lure that automatically dropped a payload named fb20-11-en.apk from a spoofed domain.

Their telemetry shows that the same infrastructure fans out dozens of variant apps, each region-tuned to impersonate banks, telecoms, or betting platforms yet compiled from a common code base.

Victims are hit twice. In the foreground, the app silently loads parked domains and affiliate funnels, simulating taps and scrolls to inflate ad-impression counts, a maneuver clearly displayed in the redirection chain.

In the background, convincing login forms siphon usernames, passwords, and occasionally one-time PINs, forwarding them to an encrypted command-and-control (C2) back end.

This dual-purpose architecture, analysts warn, lets operators monetize every infected device immediately while quietly harvesting data for resale or later account takeover.

Under the hood, the cluster relies on a modular configuration system that ships its C2 map as a Base64 string encrypted with AES in Electronic Code Book mode.

A hard-coded key—123456789mangofb—is embedded directly in the APK, enabling the malware to decode fresh API routes on the fly and rotate infrastructure when domains are blocked.

The relevant routine, decompiled by Trustwave, is reproduced below for clarity:-

Cipher cipher = Cipher.getInstance("AES");
byte[] keyBytes = new byte[16];
System.arraycopy("123456789mangofb".getBytes(), 0, keyBytes, 0, 16);
SecretKeySpec keySpec = new SecretKeySpec(keyBytes, "AES");
cipher.init(Cipher.DECRYPT_MODE, keySpec);
byte[] decrypted = cipher.doFinal(Base64.decode(encryptedData, 0));

Infection Mechanism: From Sideload to Silent Control

Installation begins with a social-media message or QR-code poster that pushes users to a look-alike landing page.

Tapping the “Start Now” button launches an immediate APK download and, crucially, suppresses Android’s normal install-source warning by blending the file path with legitimate-looking sub-domains such as apk.kodownapp.top.

Once executed, the app leverages the open-source ApkSignatureKillerEx framework to graft a secondary payload (origin.apk) into its own directory without invalidating the original signature, guaranteeing the OS treats it as a trustworthy upgrade.

On first run, it issues a beacon to 38.54.1.79:9086/#/entry, retrieves the AES-wrapped config, and only then activates ad-click automation or credential harvesting modules, significantly reducing the behavioral noise most sandboxes rely on for detection.

By time the user notices anomalous battery drain or data spikes, both ad revenue and fresh credential sets have long since been exfiltrated through a fallback “crash-log” channel masquerading behind a seemingly innocuous sub-domain.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now