Threat Actors Combine Android Malware With Click Fraud Apps to Steal Login Credentials

A new wave of malicious Android Package Kit (APK) files is merging two well-established avenues of cybercrime: click-fraud advertising and credential theft. This adaptable threat has begun to make its rounds in regions such as Southeast Asia, Latin America, and parts of Europe.

These APKs masquerade as casual games, task-reward utilities, or even clones of legitimate applications like Chrome or Facebook. By enticing users to sideload these rogue installers, the malware cleverly bypasses Google Play’s vetting controls, using social-engineering tactics with enticing phrases like “Get Free ” or “Create Your Ad Campaign.”

Upon installation, the app requests a concerning array of permissions—such as access to the camera, contacts, account management, and the ability to run foreground services—far exceeding what a simple game or coupon app would typically require.

Trustwave SpiderLabs analysts uncovered this campaign while investigating a Facebook-ads themed lure that automatically downloaded a payload named fb20-11-en.apk from a spoofed domain. Their findings reveal that the same infrastructure supports numerous variant apps, each tailored to impersonate local banks, telecom companies, or betting platforms, yet all derived from a common code base.

Victims face a dual threat. The app operates in the foreground, silently loading parked domains and affiliate funnels while simulating user interactions to inflate ad-impression counts. This tactic is clearly evident in the redirection chain.

Redirection chain (Source – Trustwave)

Meanwhile, in the background, the app presents convincing login forms to capture usernames, passwords, and occasionally one-time PINs, which are then sent to an encrypted command-and-control (C2) backend. This dual-purpose architecture allows operators to monetize each infected device immediately while simultaneously gathering data for resale or future account takeovers.

At its core, this malware operates through a modular configuration system, transmitting its C2 map as a Base64 string encrypted with AES in Electronic Code Book mode. A hard-coded key—123456789mangofb—is embedded directly within the APK, enabling the malware to decode new API routes dynamically and rotate its infrastructure when domains face blocking.

Cipher cipher = Cipher.getInstance("AES");
byte[] keyBytes = new byte[16];
System.arraycopy("123456789mangofb".getBytes(), 0, keyBytes, 0, 16);
SecretKeySpec keySpec = new SecretKeySpec(keyBytes, "AES");
cipher.init(Cipher.DECRYPT_MODE, keySpec);
byte[] decrypted = cipher.doFinal(Base64.decode(encryptedData, 0));

Infection Mechanism: From Sideload to Silent Control

The installation process typically begins with a social media message or a QR-code poster directing users to a look-alike landing page. By tapping the “Start Now” button, users initiate an immediate APK download, cleverly suppressing Android’s standard install-source warning by disguising the file path with legitimate-looking sub-domains, such as apk.kodownapp.top.

Once executed, the app employs the open-source ApkSignatureKillerEx framework to embed a secondary payload (origin.apk) into its own directory without invalidating the original signature, ensuring that the operating system recognizes it as a trustworthy upgrade.

AES-wrapped config (Source – Trustwave)

Upon its first run, the app sends a beacon to 38.54.1.79:9086/#/entry, retrieves the AES-wrapped configuration, and subsequently activates modules for ad-click automation or credential harvesting. This strategy significantly minimizes the behavioral noise that most sandboxes rely on for detection.

By the time users notice unusual battery drain or data spikes, both ad revenue and fresh credential sets have already been exfiltrated through a fallback “crash-log” channel, cleverly disguised behind a seemingly innocuous sub-domain.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now

AppWizard
Threat Actors Combine Android Malware With Click Fraud Apps to Steal Login Credentials