Mobile advertising trojans, stalkerware peak in 2019

News by Chandu Gopalakrishnan

MAT recorded a two-digit growth in detected installation packages, while stalkerware incidents grew at least twice from that of 2018, reported Kaspersky

What should we worry most about while downloading an app? Mobile advertising trojans (MAT) and stalkerware, notes the Mobile Malware Evolution report by Kaspersky.

MAT recorded a two-digit growth in detected installation packages, while stalkerware incidents grew at least twice from that of 2018, said the report. MAT is about unfair and illegal monetising of mobile advertisement, while stalkerware consists of commercial spyware applications, usually installed on devices without the knowledge or consent of the user. 

Adware is different from the usual clicker malware, said Victor Chebyshev, research development team lead - non-intel research at Kaspersky. 

“Advertising trojans and clickers, both related to adware, are quite similar but not the same.

Advertising trojans are basically designed to display advertisements on a device, redirect search requests to advertising websites and collect marketing data about users, so that customised adverts can be displayed. On the other hand, clickers attempt to connect to online resources, either by sending commands to the browser or by replacing system files that specify standard site addresses,” he told SC Media UK. 

“Clicker malware usually just falsifies clicks on advertisements within an application in an attempt to generate revenue. Mobile Advertising Trojans (MATs), in contrast, are typically more sinister applications that attempt to acquire root access on the device to aggressively display out-of-app ads or install other applications without the user's knowledge or consent,” Kristina Balaam, senior security intelligence engineer at Lookout told SC Media UK.

Even without root privileges, MATs can attempt to install certain plugins hidden within distributed applications that trigger out-of-app ads on the device without the ability to be easily uninstalled by the user, she said. 

“The BeiTaAd family distributed by CooTek is one such example. Many MATs also attempt to subscribe the user to premium services (whether these are app purchases or premium SMS subscriptions) without the user's consent and knowledge. They may also contain the kinds of clicking functionality seen in clicker malware.” 

Both of them exist for commercial gain, with the first one more about collecting personal data for further use, said Chebyshev  

“It is also important to note that clickers don’t click only on ads but also on subscription services, leading to actual financial losses for the user. While the direct impact of adware doesn’t result in financial loss, it will see users inundated with a significant influx of advertising spam.”

In its largest crackdown on ad fraud, Google last week banned nearly 600 apps from the Play Store for disruptive ads for violating its “disruptive ads policy” and “disallowed interstitial policy”.

“Mobile ad fraud is an industry-wide challenge that can appear in many different forms with a variety of methods, and it has the potential to harm users, advertisers and publishers,” said the Google blog post that announced the move.

Apps removed include popular ones such as Cheetah Mobile, a publicly traded Chinese company.

A BuzzFeed investigation in November 2018 revealed that Cheetah had been conducting ad fraud. Following the report, Google removed one of the malicious apps but allowed the firm to continue offering other apps. In the latest drive, Cheetah’s entire suite of nearly 45 apps was removed from the Play store. 

“Ad fraud can be incredibly lucrative. Many established companies that attempt to incorporate some form of advertising fraud into their applications already have a significant user base and a sizeable engineering team,” said Balaam.

While the engineering team craft more sophisticated ad fraud functionality that can be hidden within the application, the dedicated customers of the company often don't expect the apps to contain malicious functionality - especially if the app had been used for an extended period of time without any signs of fraudulent advertising activity, she explained. 

“Furthermore, the greater the user base for an app conducting ad fraud, the greater the revenue.”

Unlike MAT, stalkerware stays hidden, operating in the background. These applications have access to significant amounts of personal data, such as device location, browser history, text messages, social media chats, photos and more, said the Kaspersky report.

Using the detection criteria suggested by the Coalition Against Stalkerware, the report assessed that attacks on the personal data of mobile device users increased from 40,386 unique targets in 2018 to 67,500 in 2019.

“From a technical point of view, it is pretty similar to the spyware used in industrial espionage and similar contexts and in the past we've seen some threat actors focused in targeted attacks using spyware that technically could be classified as stalkerware, but we must be take into account that what mainly defines this classification (stalkerware) is the context on which a spyware was used,” said Daniel Creus, senior security researcher, European Research Centre, Kaspersky.

“Stalkerware is more about discreet installation, it requires physical access to the device or root right. However, sources of infection with spyware may indeed vary,” he told SC Media UK. 

The nature and operation of the malware had found it many takers who are interested in targeted snooping. However, when an employee’s work device gets infected by stalkerware, that person becomes an internal threat to the employer, warns Creus.

“Despite the classification -- stalkerware, in the end, is a subtype of spyware -- having an infected device in this context poses a real threat.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews