Concerns about click fraud are growing among marketers and advertisers who place pay-per-click or pay-per-impression ads. Click fraud is becoming an increasingly pressing issue every year. In this article, we will discuss what click fraud malware looks like, how it infects unsuspecting users' devices, the damage it causes, and ways to combat it.
Contents
1. What is click fraud?
2. What are Trojans?
3. Examples of malware for click fraud on PC: Miuref and Trojan.Kovter
4. Examples of malware on mobile devices: Chamois, DrainerBot, Tekya
4.1. Chamois
4.2. DrainerBot
4.3. Tekya
5. Malware on iOS
6. How malware infects a user's device
7. Who is behind the click fraud malware?
8. How to protect your device from malware
So what is click fraud malware? It is a program that is installed on a computer and used by a bot (the master, the creator of this program) to perform click fraud attacks.
The unsuspecting rulers brought the horse outside the city walls, thinking that the Achaeans had surrendered and ended the siege. That same night, Achaean spies climbed out of the horse, opened the gates of Troy and let the army in. Troy fell. This is also where the famous expression "Fear the Danaans bearing gifts" comes from.
So, a Trojan is a type of program (virus) that has an attractive shell and seems harmless, but in fact, it secretly introduces its malicious code to the device and independently manages the processes on it for its own purposes.
The malware can perform operations automatically (stealing user data and access, blocking the operating system, etc.) or perform malicious actions under remote control (DDoS attacks or clicking on ads, for example). Such automated bots are united into a common network - a botnet - and pose a serious threat to the advertising community.
Miuref and Trojan.Kovter are "descendants" of another botnet - 3ve, whose activity was stopped in November 2018. In total, these malwares have infected several million computers around the world, and the damage from the attacks is about 30 million dollars.
Despite the fact that the 3ve botnet made a lot of noise at the time, had a destructive impact on the advertising environment and was eliminated, click fraud malware technologies do not stand still and are gaining momentum at a terrifying speed.
In 2024, eight malicious apps with a combined download count of two billion were discovered on Google Play. They caused millions of dollars in damage to advertisers. Using a special built-in technology, the malicious code of the apps easily bypassed Google's Play Protect security system on Android.
While advertisers were losing money on bots viewing their ads, DrainerBot was also increasing the mobile phone bills of the smartphone users it was parasitizing.
For example, the XCodeGhost program was embedded in a number of popular applications in China, including WeChat, the Chinese version of Whats'App. Or the Exodus spyware, which, although not a click-baiting malware, showed that iOS smartphones are also susceptible to virus attacks.
In 2024, the most common ways to infect PCs, MACs and mobile devices were:
In short, malware is spread through careless and thoughtless human actions: accidentally clicking on an ad, not having antivirus software on the device, visiting phishing and other infected sites.
For example, the Methbot botnet is one of the most famous advertising fraud networks, which, according to experts, brought the Russian criminal group about $3 million a day from clicking and viewing ads by bots.
By creating click fraud malware, these gangs expand their reach and presence and stay ahead of the curve when someone tries to shut down their botnet distribution channels. Of course, when you're making $3 million a day, you can hire a few hackers to write new malware.
And even seemingly legal businesses can be involved in click fraud and malware distribution. For example, in 2017, one criminal group opened 28 fake advertising agencies and purchased millions of pseudo-views through various services.
Here are some more helpful tips:
Be careful what you do on the Internet when visiting websites, viewing content, downloading and interacting with elements of web resources. Cybercriminals use many ways to deceive ordinary users.
Contents
1. What is click fraud?
2. What are Trojans?
3. Examples of malware for click fraud on PC: Miuref and Trojan.Kovter
4. Examples of malware on mobile devices: Chamois, DrainerBot, Tekya
4.1. Chamois
4.2. DrainerBot
4.3. Tekya
5. Malware on iOS
6. How malware infects a user's device
7. Who is behind the click fraud malware?
8. How to protect your device from malware
What is click fraud
Let us recall that click fraud is the systematic and deliberate clicking or viewing of advertisements by a person or a program in order to spend the advertiser's budget in favor of the donor site where this advertisement is placed. And malware is a cunning program that independently forces its installation on the user's PC in order to either further spread to other unprotected devices or remotely control it to perform fraudulent or other illegal operations.So what is click fraud malware? It is a program that is installed on a computer and used by a bot (the master, the creator of this program) to perform click fraud attacks.
What are Trojans?
Do you know what a Trojan virus is? You've probably heard the term "Trojan horse." It comes from the ancient Greek epic "Iliad" by Homer, which describes a military trick: in order to get into besieged Troy, the Achaeans built a huge wooden horse, hid soldiers in it, and presented this "gift" to the Trojans as an offering to the goddess Athena.The unsuspecting rulers brought the horse outside the city walls, thinking that the Achaeans had surrendered and ended the siege. That same night, Achaean spies climbed out of the horse, opened the gates of Troy and let the army in. Troy fell. This is also where the famous expression "Fear the Danaans bearing gifts" comes from.
So, a Trojan is a type of program (virus) that has an attractive shell and seems harmless, but in fact, it secretly introduces its malicious code to the device and independently manages the processes on it for its own purposes.
The malware can perform operations automatically (stealing user data and access, blocking the operating system, etc.) or perform malicious actions under remote control (DDoS attacks or clicking on ads, for example). Such automated bots are united into a common network - a botnet - and pose a serious threat to the advertising community.
Examples of malware for click fraud on PC: Miuref and Trojan.Kovter
Miuref and Trojan.Kovter are two examples of click fraud malware that have been active for several years. The first malware is embedded in the Firefox, Chrome and IE browsers, replaces the browser search engines and redirects users to fake search engines with links to fake sites with ads. The second is a "disembodied" Trojan program that is embedded in the RAM of an infected PC, opens IE in the background , visits donor sites with ads and winds up ad views or clicks on them.Miuref and Trojan.Kovter are "descendants" of another botnet - 3ve, whose activity was stopped in November 2018. In total, these malwares have infected several million computers around the world, and the damage from the attacks is about 30 million dollars.
Examples of malware on mobile devices: Chamois, DrainerBot, Tekya
In mobile click fraud, fraudsters use several technologies. Click injection is sending a report on the first launch of an installed application and artificially substituting the fraudster's channel tag, even if the application was downloaded through organic search. Click spamming is randomly clicking on hidden or embedded ads in the background, as well as visiting external sites with advertising.Despite the fact that the 3ve botnet made a lot of noise at the time, had a destructive impact on the advertising environment and was eliminated, click fraud malware technologies do not stand still and are gaining momentum at a terrifying speed.
In 2024, eight malicious apps with a combined download count of two billion were discovered on Google Play. They caused millions of dollars in damage to advertisers. Using a special built-in technology, the malicious code of the apps easily bypassed Google's Play Protect security system on Android.
Chamois
In 2018, Google noticed the return of apps infected with the Chamois malware family , which was thought to have been eliminated in 2017. Apps with it were downloaded 200 million times in 2018. The malware was designed to steal user data, as well as click fraud and SMS fraud.DrainerBot
DrainerBot is another malware that has infected apps on Google Play. It has been downloaded 10 million times. The malware got its name due to its ability to collect huge amounts of data. Its purpose is to “hijack” the device to watch video ads in the background.While advertisers were losing money on bots viewing their ads, DrainerBot was also increasing the mobile phone bills of the smartphone users it was parasitizing.
Tekya
In 2020, there were several cases of new botnets being detected. For example, Tekya. The malware infected 56 apps, and the number of downloads was more than a million times. Most of the apps were aimed at children, meaning they were educational games and puzzles. However, the apps also included online calculators, recipe apps, and online translators.Malware on iOS
That we are all about Andoid and Google Play. Fraudsters are introducing their malware not only to smartphones with this operating system. Despite the fact that the Apple Store quality control service monitors applications a little more strictly than Google, cases with malware still periodically emerge.For example, the XCodeGhost program was embedded in a number of popular applications in China, including WeChat, the Chinese version of Whats'App. Or the Exodus spyware, which, although not a click-baiting malware, showed that iOS smartphones are also susceptible to virus attacks.
How malware infects a user's device
The classic way to infect a device with malware is to download a file attached to an email from an unknown user. Often, this is a Word or PDF document, often an EXE file. And as users recognize and ignore spam with incomprehensible attachments, malware creators also look for new ways to distribute them.In 2024, the most common ways to infect PCs, MACs and mobile devices were:
- Cracked or free software from an unknown source.
- Pop-up ads or landing pages like “Play and win 1,000,000 rubles” or “Watch adult videos.”
- Download codecs to watch free movies.
- Through suspicious streaming services.
- Through unknown applications or applications with a lot of built-in advertising.
- And sometimes through verified applications!
In short, malware is spread through careless and thoughtless human actions: accidentally clicking on an ad, not having antivirus software on the device, visiting phishing and other infected sites.
Who is behind the click fraud malware?
Surely many people imagine hackers and coders as bespectacled guys who write viruses on the sly and with the lights off. The truth is out there. Malicious software is written and managed by entire criminal groups, since huge amounts of money are involved in cyber fraud.For example, the Methbot botnet is one of the most famous advertising fraud networks, which, according to experts, brought the Russian criminal group about $3 million a day from clicking and viewing ads by bots.
By creating click fraud malware, these gangs expand their reach and presence and stay ahead of the curve when someone tries to shut down their botnet distribution channels. Of course, when you're making $3 million a day, you can hire a few hackers to write new malware.
And even seemingly legal businesses can be involved in click fraud and malware distribution. For example, in 2017, one criminal group opened 28 fake advertising agencies and purchased millions of pseudo-views through various services.
How to protect your device from malware
The best way to protect yourself from malware is to not download unknown programs and files from unknown sources. Use only those resources that you trust. Go only to official websites. Do not click on random pop-up windows out of inertia - always read what is written on them and where the "Yes/No" buttons are located.Here are some more helpful tips:
- Update antivirus software on your devices. If possible, purchase a paid license.
- Do not disable the firewall.
- Use complex passwords for your accounts - uppercase and lowercase letters, numbers, acceptable symbols. It is advisable to use different passwords for different accounts.
- Disable autoload on your PC.
- Disable or remove unnecessary software on mobile devices and smart home items.
- Turn off Bluetooth when not in use.
- Avoid visiting suspicious sites that offer free downloads of commercial software or paid movies, or ask you to download codecs or plugins.
- Do not download clones of famous applications to your phone.
Be careful what you do on the Internet when visiting websites, viewing content, downloading and interacting with elements of web resources. Cybercriminals use many ways to deceive ordinary users.
