{"id":77647,"date":"2017-09-12T06:00:59","date_gmt":"2017-09-12T13:00:59","guid":{"rendered":"https:\/\/securingtomorrow.mcafee.com\/?p=77647"},"modified":"2025-05-27T20:44:26","modified_gmt":"2025-05-28T03:44:26","slug":"android-click-fraud-app-repurposed-ddos-botnet","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-click-fraud-app-repurposed-ddos-botnet\/","title":{"rendered":"Android Click-Fraud App Repurposed as DDoS Botnet"},"content":{"rendered":"<p>The McAfee Mobile Research Team tracks the behavior of Android click-fraud apps. We have detected multiple implementations, including recent examples on <a href=\"https:\/\/securingtomorrow.mcafee.com\/mcafee-labs\/android-malware-clicker-dgen-found-google-play\/\" target=\"_blank\" rel=\"noopener\">Google Play<\/a> in 2016 and <a href=\"https:\/\/securingtomorrow.mcafee.com\/mcafee-labs\/android-click-fraud-apps-briefly-return-google-play\/\" target=\"_blank\" rel=\"noopener\">Clicker.BN<\/a> last month. These threats are characterized by a common behavior: They appear innocuous but in the background they perform HTTP requests (simulating clicks) on paid \u201cadvertainment\u201d to make money for a specific developer.<\/p>\n<p>This behavior means that a URL is permanently requested via HTTP. Hypothetically, if the target and frequency of that request were modified, we could classify it as a DDoS attack. After all, the app uses the same main malware functionality and botnet infrastructure. From ad fraud to DDoS is only one step\u2014and that is what some variants of Clicker.BN have taken. We have now seen click-fraud Android Trojans repurposed to perform DDoS attacks.<\/p>\n<p>Most of the control servers of this Android\/Clicker botnet\u2014<a href=\"https:\/\/krebsonsecurity.com\/2017\/08\/tech-firms-team-up-to-take-down-wirex-android-ddos-botnet\/\" target=\"_blank\" rel=\"noopener\">aka WireX<\/a>\u2014were taken down in late August.<\/p>\n<p>The apps that perform click-fraud and those that launch DDoS attacks have much in common: the technique to configure headers from the control server, the domains axclick[.]store and ww[56]8[.]ybosrcqo.us (which have been taken down though others remain active), how they keep control server parameters updated in the local cache, and how the target server performs each HTTP request without loading cache data. They are share methods of obfuscation, packing strategies, and methodology for publishing on Google Play.<\/p>\n<h2>Data and Parameters<\/h2>\n<p>The apps do have differences, however. The control server subdomain and GET methods vary, as well as the delimiters used to split the received parameters and the order and data of received parameters:<\/p>\n<ul>\n<li>Click-fraud components receive:\n<ul>\n<li>Target URL<\/li>\n<li>JavaScript function (to simulate mouse-over clicks)<\/li>\n<li>User agent<\/li>\n<li>Google Play package<\/li>\n<\/ul>\n<\/li>\n<li>DDoS components receive:\n<ul>\n<li>Target URL<\/li>\n<li>User agent<\/li>\n<li>HTTP referrer (same as target URL in our tests)<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>The DDoS variants put the traffic generation in a loop to fully complete each HTTP request many times:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-77649 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/09\/20170908-Clicker-1.png\" alt=\"\" width=\"631\" height=\"279\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/09\/20170908-Clicker-1.png 631w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/09\/20170908-Clicker-1-300x133.png 300w\" sizes=\"auto, (max-width: 631px) 100vw, 631px\" \/><\/p>\n<p><em>DDoS authors increased the frequency of the HTTP requests to 100 per minute. (Click-fraud implementations send a request each 55 seconds using same code structure.)<\/em><\/p>\n<p>Other DDoS variants perform a UDP flood attack on the target, based on data received from the control server (host and port) and implemented as follows:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-77650 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/09\/20170908-Clicker-2.png\" alt=\"\" width=\"1469\" height=\"465\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/09\/20170908-Clicker-2.png 1469w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/09\/20170908-Clicker-2-300x95.png 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/09\/20170908-Clicker-2-768x243.png 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/09\/20170908-Clicker-2-1024x324.png 1024w\" sizes=\"auto, (max-width: 1469px) 100vw, 1469px\" \/><\/p>\n<p>The previous thread (C1343a) is executed 50 times by the following method (m7240a), which is invoked after loading the parameters from the control server. These are refreshed every 50, 55, or 60 seconds (depending on the variant).<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-77651 size-full\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/09\/20170908-Clicker-3.png\" alt=\"\" width=\"280\" height=\"87\" \/><\/p>\n<p>All variants of this threat use an uncommon method to receive and parse parameters from the control server: They arrive inside the title tag of an HTML file, and vary based on a key string used to parse the parameters. We discussed this in our analysis of Clicker.BN.<\/p>\n<p>We mentioned some other curiosities in our Clicker.BN post. The delimiter strings look a bit like anagrams: \u201cWireX\u201d comes from the string \u201csnewxwri.\u201d Early Clicker.BN variants used the delimiter \u201ceindoejy,\u201d which could represent \u201cI enjoyed\u201d or \u201cdie enjoy.\u201d More delimiters are present in other variants of this threat.<\/p>\n<p>&nbsp;<\/p>\n<p>Click fraud in 2017 <a href=\"http:\/\/www.adloox.com\/news\/the-ad-fraud-issue-could-be-more-than-twice-as-big-as-first-thought-advertisers-stand-to-lose-164-billion-to-it-this-year\" target=\"_blank\" rel=\"noopener\">could cost US$16 billion<\/a>, according to one source. DDoS attacks have their own underground market. Moving from one mobile threat to another is not new. We have seen Android ransomware switch to banking Trojans (in 2016) and premium SMS Trojans move to wireless application protocol billing.<\/p>\n<p>Malware authors pursue profits with different strategies, taking advantage of already developed infrastructure. In this case, Android\/Clicker.BN created a mobile botnet and distributed the infecting vector on Google Play, repackaging the threat to look like a clean app and widely distributing it across the globe. The authors modified this malware only a little bit to launch the massive DDoS attack known as WireX.<\/p>\n<p>McAfee Mobile Security detects this threat as Android\/Clicker.BN!Gen and prevents its execution. To further protect yourself against malicious apps, use only legitimate app stores, and pay attention to suspicious traits such as nonsense names, missing descriptions, and poor user reviews. Also, verify that the app\u2019s request for permissions are related to its functionality. Be wary when apps request device administration API access, which is usually requested only by security apps, antimalware, mobile device management, or corporate email clients. Most apps and games will never ask for device admin rights.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The McAfee Mobile Research Team tracks the behavior of Android click-fraud apps. We have detected multiple implementations, including recent examples&#8230;<\/p>\n","protected":false},"author":833,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[37,49,76,214],"coauthors":[2035],"class_list":["post-77647","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-android","tag-botnet","tag-cybercrime","tag-mobile-security1"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Android Click-Fraud App Repurposed as DDoS Botnet<\/title>\n<meta name=\"description\" content=\"The McAfee Mobile Research Team tracks the behavior of Android click-fraud apps. We have detected multiple implementations.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Android Click-Fraud App Repurposed as DDoS Botnet\" \/>\n<meta property=\"og:description\" content=\"The McAfee Mobile Research Team tracks the behavior of Android click-fraud apps. We have detected multiple implementations.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-click-fraud-app-repurposed-ddos-botnet\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2017-09-12T13:00:59+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-05-28T03:44:26+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/09\/20170908-Clicker-1.png\" \/>\n\t<meta property=\"og:image:width\" content=\"631\" \/>\n\t<meta property=\"og:image:height\" content=\"279\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Fernando Ruiz\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Fernando Ruiz\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-click-fraud-app-repurposed-ddos-botnet\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-click-fraud-app-repurposed-ddos-botnet\/\"},\"author\":{\"name\":\"Fernando Ruiz\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/0ed97a1d0ce0c90c2a9ef2fbab555922\"},\"headline\":\"Android Click-Fraud App Repurposed as DDoS Botnet\",\"datePublished\":\"2017-09-12T13:00:59+00:00\",\"dateModified\":\"2025-05-28T03:44:26+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-click-fraud-app-repurposed-ddos-botnet\/\"},\"wordCount\":716,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-click-fraud-app-repurposed-ddos-botnet\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/09\/20170908-Clicker-1.png\",\"keywords\":[\"android\",\"botnet\",\"cybercrime\",\"mobile security\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-click-fraud-app-repurposed-ddos-botnet\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-click-fraud-app-repurposed-ddos-botnet\/\",\"name\":\"Android Click-Fraud App Repurposed as DDoS Botnet\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-click-fraud-app-repurposed-ddos-botnet\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-click-fraud-app-repurposed-ddos-botnet\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/09\/20170908-Clicker-1.png\",\"datePublished\":\"2017-09-12T13:00:59+00:00\",\"dateModified\":\"2025-05-28T03:44:26+00:00\",\"description\":\"The McAfee Mobile Research Team tracks the behavior of Android click-fraud apps. We have detected multiple implementations.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-click-fraud-app-repurposed-ddos-botnet\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-click-fraud-app-repurposed-ddos-botnet\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-click-fraud-app-repurposed-ddos-botnet\/#primaryimage\",\"url\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/09\/20170908-Clicker-1.png\",\"contentUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/09\/20170908-Clicker-1.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-click-fraud-app-repurposed-ddos-botnet\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Android Click-Fraud App Repurposed as DDoS Botnet\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/0ed97a1d0ce0c90c2a9ef2fbab555922\",\"name\":\"Fernando Ruiz\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/5b6dec450e97e87f9a57fae15bae5d34\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/7fa953f9b978dc1f77d7abb273aa5ec1?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/7fa953f9b978dc1f77d7abb273aa5ec1?s=96&d=mm&r=g\",\"caption\":\"Fernando Ruiz\"},\"description\":\"Fernando Ruiz is a Security Researcher in McAfee Labs. He specializes in mobile threats and Android malware. Ruiz performs deep analysis and reverse engineering of malicious code, packers, and vulnerabilities; and creates detection technologies to proactively protect people against a wide spectrum of malware and potentially unwanted programs.\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/fernando-ruiz\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Android Click-Fraud App Repurposed as DDoS Botnet","description":"The McAfee Mobile Research Team tracks the behavior of Android click-fraud apps. We have detected multiple implementations.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Android Click-Fraud App Repurposed as DDoS Botnet","og_description":"The McAfee Mobile Research Team tracks the behavior of Android click-fraud apps. We have detected multiple implementations.","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-click-fraud-app-repurposed-ddos-botnet\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2017-09-12T13:00:59+00:00","article_modified_time":"2025-05-28T03:44:26+00:00","og_image":[{"width":631,"height":279,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2017\/09\/20170908-Clicker-1.png","type":"image\/png"}],"author":"Fernando Ruiz","twitter_card":"summary_large_image","twitter_creator":"@McAfee","twitter_site":"@McAfee","twitter_misc":{"Written by":"Fernando Ruiz","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-click-fraud-app-repurposed-ddos-botnet\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-click-fraud-app-repurposed-ddos-botnet\/"},"author":{"name":"Fernando Ruiz","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/0ed97a1d0ce0c90c2a9ef2fbab555922"},"headline":"Android Click-Fraud App Repurposed as DDoS Botnet","datePublished":"2017-09-12T13:00:59+00:00","dateModified":"2025-05-28T03:44:26+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-click-fraud-app-repurposed-ddos-botnet\/"},"wordCount":716,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-click-fraud-app-repurposed-ddos-botnet\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/09\/20170908-Clicker-1.png","keywords":["android","botnet","cybercrime","mobile security"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-click-fraud-app-repurposed-ddos-botnet\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-click-fraud-app-repurposed-ddos-botnet\/","name":"Android Click-Fraud App Repurposed as DDoS Botnet","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-click-fraud-app-repurposed-ddos-botnet\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-click-fraud-app-repurposed-ddos-botnet\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/09\/20170908-Clicker-1.png","datePublished":"2017-09-12T13:00:59+00:00","dateModified":"2025-05-28T03:44:26+00:00","description":"The McAfee Mobile Research Team tracks the behavior of Android click-fraud apps. We have detected multiple implementations.","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-click-fraud-app-repurposed-ddos-botnet\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-click-fraud-app-repurposed-ddos-botnet\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-click-fraud-app-repurposed-ddos-botnet\/#primaryimage","url":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/09\/20170908-Clicker-1.png","contentUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2017\/09\/20170908-Clicker-1.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/android-click-fraud-app-repurposed-ddos-botnet\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Android Click-Fraud App Repurposed as DDoS Botnet"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/0ed97a1d0ce0c90c2a9ef2fbab555922","name":"Fernando Ruiz","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/5b6dec450e97e87f9a57fae15bae5d34","url":"https:\/\/secure.gravatar.com\/avatar\/7fa953f9b978dc1f77d7abb273aa5ec1?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/7fa953f9b978dc1f77d7abb273aa5ec1?s=96&d=mm&r=g","caption":"Fernando Ruiz"},"description":"Fernando Ruiz is a Security Researcher in McAfee Labs. He specializes in mobile threats and Android malware. Ruiz performs deep analysis and reverse engineering of malicious code, packers, and vulnerabilities; and creates detection technologies to proactively protect people against a wide spectrum of malware and potentially unwanted programs.","url":"https:\/\/www.mcafee.com\/blogs\/author\/fernando-ruiz\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/77647","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/833"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=77647"}],"version-history":[{"count":2,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/77647\/revisions"}],"predecessor-version":[{"id":214518,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/77647\/revisions\/214518"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=77647"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=77647"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=77647"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=77647"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}