Fake versions of popular games like Grand Theft Auto are being used to distribute an Android Trojan on the Google Play Store. Security researchers found 342 apps in the Play Store which were used to infect Android users with a Trojan dubbed the “Porn Clicker.” The oldest of the listed apps was uploaded to the Play Store in June 2015. 

When a user installs one of the decoy programs like “GTA San Andreas Free” or “Tinder v2,” the Trojan runs in the background and the promised program is never launched. Instead, the Trojan opens an invisible browser window and generates fake clicks on pornographic advertisements to earn revenue for its authors. As reported by security researchers at ESET, “These links will be loaded every 60 seconds into WebView inside an invisible window, with a random clicking pattern applied.” The scope of the Trojan’s malicious activity is limited to these fake clicks in an invisible browser, but such an infection will likely drain the phone’s battery and may cause the affected user’s data charges to spike.  

To remain hidden, the Trojan has been coded to detect 56 different mobile anti-virus programs. When one of these programs is detected, it remains dormant on the user’s device. In a long term plan to keep the Trojan under wraps, it doesn’t launch the invisible window to generate clicks as not to be exposed by the installed antivirus program. Currently it detects mobile antivirus programs from Avast, Symantec, and Kaspersky among others. 

As the Porn Clicker Trojan has been deployed using numerous games and apps as decoys (find the list here) one of the ways users can protect themselves is by only downloading from reputable publishers on the Play Store and by looking at user reviews and comments. Most of the apps spreading the Porn Clicker trojan have received negative reviews and comments from previous users. In contrast to the popular phrase “don’t read the comments,” sometimes it pays to read the comments.