Invisible Adware: Unveiling Ad Fraud Targeting Android Users

Authored by SangRyol Ryu, McAfee Threat Researcher

We live in a world where advertisements are everywhere, and it’s no surprise that users are becoming tired of them. By contrast, developers are driven by profit and seek to incorporate more advertisements into their apps. However, there exist certain apps that manage to generate profit without subjecting users to the annoyance of ads. Is this really good?  

Recently, McAfee’s Mobile Research Team discovered a concerning practice among some apps distributed through Google Play. These apps load ads while the device’s screen is off, which might initially seem convenient for users. However, it’s a clear violation of Google Play Developer policy on how ads should be displayed. This affects not only the advertisers who pay for invisible Ads, but also the users as it drains battery, consumes data and poses potential risks such as information leaks and disruption of user profiling caused by Clicker behavior. 

The team has identified 43 apps that collectively downloaded 2.5 million times. Among the targeted apps are TV/DMB Player, Music Downloader, News, and Calendar applications. McAfee is a member of the App Defense Alliance focused on protecting users by preventing threats from reaching their devices and improving app quality across the ecosystem. We reported the discovered apps to Google, which took prompt action. Most apps are no longer available on Google Play while others are updated by the developer. McAfee Mobile Security detects this threat as Android/Clicker. For more information, and to get fully protected, visit McAfee Mobile Security. 

Many affected apps

How does it work? 

This ad fraud library uses specific tactics to avoid detection and inspection. It deliberately delays the initiation of its fraudulent activities, creating a latent period from the time of installation. What’s more, all the intricate configurations of this library can be remotely modified and pushed using Firebase Storage or Messaging service. These factors significantly add to the complexity of identifying and analyzing this fraudulent behavior. Notably, the latent period typically spans several weeks, which makes it challenging to detect. 

Getting latent period by using Firebase Messaging Service 

It is important to be cautious about the implications of granting permissions, such as excluding ‘power saving’ and allowing ‘draw over other apps’. These permissions can enable certain activities to occur discreetly in the background, raising concerns about the intentions and behavior of the applications or libraries in question. Allowing these permissions can result in more malicious behavior, such as displaying phishing pages, also to displaying ads in the background. 

Asked permissions to run in the background and keep it hidden 

When the device screen is turned off after the latent period, the fetching and loading of ads starts, resulting in users being unaware of the presence of running advertisements on their devices. This ad library registers device information by accessing the unique domain (ex: linked with the application. Then go to Firebase Storage to get the specific advertisement URL and show the ads. It is important to note that this process consumes power and mobile data resources. 

Observed traffic when the screen off 

If users quickly turn on their screens at this point, they might catch a glimpse of the ad before it is automatically closed. 

Example of an advertising site displayed when the screen is off 

In conclusion, it is essential for users to exercise caution and carefully evaluate the necessity of granting permissions like power saving exclusion, or draw over other apps before allowing them. While these permissions might be required for certain legitimate functionalities for running in the background, it is important to consider the potential risks linked with them, such as enabling hidden behaviors or reducing the relevance of ads and contents displayed to users because the hidden Clicker behavior. By using McAfee Mobile Security products, users can further safeguard their devices and mitigate the risks linked with these kinds of malware, providing a safer and more secure experience. For more information, visit McAfee Mobile Security


Indicators of Compromise (IoC’s)


Android Packages 

Package Name  Application Name  SHA256  Google Play Downloads  DMB TV  f3e5aebdbd5cd94606211b04684730656e0eeb1d08f4457062e25e7f05d1c2d1  10,000+  DMB TV  6aaaa6f579f6a1904dcf38315607d6a5a2ca15cc78920743cf85cc4b0b892050  100,000+  DMB TV  a98c5170da2fdee71b699ee145bfe4bdcb586b623bbb364a93bb8bdf8dbc4537  10,000+  DMB TV  5ec8244b2b1f516fd96b0574dc044dd40076ff7aa7dadb02dfefbd92fc3774bf  100,000+ 
kr.dmb.onair  DMB TV  e81c0fef52065864ee5021e1d4c7c78d6a407579e1d48fc4cf5551ff0540fdb8  5,000+  DMB TV  33e5606983526757fef2f6c1da26474f4f9bf34e966d3c204772de45f42a6107  50,000+  DMB TV  a13e26bce41f601a9fafdec8003c5fd14908856afbab63706b133318bc61b769  100+ 
com.breakingnews.player  뉴스 속보  d27b8e07b7d79086af2fa805ef8d77ee51d86a02d81f2b8236febb92cb9b242d  10,000+  달력  46757b1f785f2b3cec2906a97597b7db4bfba168086b60dd6d58d5a8aef9e874  10,000+  뮤직다운  a3fe9f9b531ab6fe79ed886909f9520a0d0ae98cf11a98f061dc179800aa5931  100,000+ 
com.musicdown  뮤직다운  5f8eb3f86fc608f9de495ff0e65b866a78c25a9260da04ebca461784f039ba16  5,000+  뮤직다운  397373c39352ef63786fe70923a58d26cdf9b23fa662f3133ebcbc0c5b837b66  100,000+  바로TV  3b4302d00e21cbf691ddb20b55b045712bad7fa71eb570dd8d3d41b8d16ce919  10,000+  바로TV  760aa1a6c0d1e8e4e2d3258e197ce704994b24e8edfd48ef7558454893796ebe  50,000+  바로TV  b83a346e18ca20ac5165bc1ce1c8807e89d05abc6a1df0adc3f1f0ad4bb5cd0c  10,000+ 
kr.baro.dmb  바로TV  84a4426b1f8ea2ddb66f12ef383a0762a011d98ff96c27a0122558babdaf0765  100,000+  바로TV  cccfdf95f74add21da546a03c8ec06c7832ba11091c6d491b0aadaf0e2e57bcc  1,000+  바로TV  c76af429fabcfd73066302eeb9dd1235fd181583e6ee9ee9015952e20b4f65bf  50,000+  바로TV  6c61059da2ae3a8d130c50295370baad13866d7e5dc847f620ad171cc01a39e9  10,000+ 
freemusic.ringtone.player  벨소리 무료다운  75c74e204d5695c75209b74b10b3469babec1f7ef84c7a7facb5b5e91be0ae3e  100,000+  실시간 TV  8d881890cfa071f49301cfe9add6442d633c01935811b6caced813de5c6c6534  50,000+  실시간 TV  1501dd8267240b0db0ba00e7bde647733230383d6b67678fc6f0c7f3962bd0d3  50,000+ 
eight.krdmb.onair  실시간 TV  bbd6ddbfee7482fe3fe8b5d96f3be85e09352711a36cd8cf88cfdeaf6ff90c79  10,000+  실시간 TV  5f864aa88de07a10045849a7906f616d079eef94cd463e40036760f712361f79  10,000+ 
kr.dmb.nine  실시간 TV  ea49ad38dd7500a6ac12613afe705eb1a4bcab5bcd77ef24f2b9a480a34e4f46  100,000+  실시간 TV  f09cff8a05a92ddf388e56ecd66644bf88d826c5b2a4419f371721429c1359a7  10,000+  실시간 TV  e8d2068d086d376f1b78d9e510a873ba1abd59703c2267224aa58d3fca2cacbd  100,000+  실시간 TV  1b64283e5d7e91cae91643a7dcdde74a188ea8bde1cf745159aac76a3417346e  50,000+  실시간 TV  bd0ac9b7717f710e74088df480bde629e54289a61fc23bee60fd0ea560d39952  100,000+  실시간 TV  d7dd4766043d4f7f640c7c3fabd08b1a7ccbb93eba88cf766a0de008a569ae4d  1,000+  실시간 TV  b84b22bc0146f48982105945bbab233fc21306f0f95503a1f2f578c1149d7e46  10,000+  실시간 TV  516032d21edc2ef4fef389d999df76603538d1bbd9d357a995e3ce4f274a9922  50,000+  실시간 TV  5d07a113ce389e430bab70a5409f5d7ca261bcdb47e4d8047ae7f3507f044b08  50,000+  실시간 TV  afc8c1c6f74abfadd8b0490b454eebd7f68c7706a748e4f67acb127ce9772cdb  100,000+  실시간 TV  6234eadfe70231972a4c05ff91be016f7c8af1a8b080de0085de046954c9e8e7  50,000+  음악다운  ded860430c581628ea5ca81a2f0f0a485cf2eeb9feafe5c6859b9ecc54a964b2  500,000+  음악다운  bede67693a6c9a51889f949a83ff601b1105c17c0ca5904906373750b3802e91  100,000+  음악다운  fee6cc8b606cf31e55d85a7f0bf7751e700156ce5f7376348e3357d3b4ec0957  1,000+  음악다운  b2c1caab0e09b4e99d5d5fd403c506d93497ddb2de3e32931237550dbdbe7f06  100,000+ 
com.alltrot.player  트로트 노래모음  469792f4b9e4320faf0746f09ebbcd8b7cd698a04eef12112d1db03b426ff70c  50,000+ 
com.trotmusic.player  트로트 노래모음  879014bc1e71d7d14265e57c46c2b26537a81020cc105a030f281b1cc43aeb77  5,000+  파도 MP3  f2bbe087c3b4902a199710a022adf8b57fd927acac0895ab85cfd3e61c376ea5  100,000+  파도 MP3  9c84c91f28eadd0a93ef055809ca3bceb10a283955c9403ef1a39373139d59f2  100,000+ 



Introducing McAfee+

Identity theft protection and privacy for your digital life

FacebookLinkedInTwitterEmailCopy Link

Stay Updated

Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.


More from McAfee Labs

Back to top