Ongoing Google Play Attacks Plague Japanese with Variation on One-Click Fraud

In what may be the biggest security-related incident on Google Play this year, multiple Trojans targeting Japanese users were discovered carrying the strain of Android one-click fraud. McAfee Mobile Research has already identified multiple developer accounts that were used to spread the malware and confirmed that more than 80 applications of this type existed on Google Play as of this writing. We have also reported additional developer accounts to Google Play Security for investigation and revocation.


Our investigation into the apps have shown that new variants of one-click fraud have been altered so that the fraud is not immediately identifiable unless the victim interacts with the apps–in effect making the apps “two-click fraud” or even “three-click fraud”–and making the automated screening and scanning process difficult.

In fact, these applications simply invoke the web browser on the device or the web-view component inside the application to load the web contents. This extra step by the fraudulent activities makes the automated detection of this type of malware more difficult.


One-click fraud is a threat vector that is unique to Japan and has been around for more than a decade on PCs, but recent aggressive tactics during the past year show that the criminals behind this scam are committed to exploiting mobile devices.

By using two or more clicks to commit fraud, an attacker can more easily trick users into believing that they are actually registered in the fraudulent service. Victims are more likely to pay money or give detailed personal information to the attacker.

In the current fraud, the attacker used multiple developer accounts on Google Play, as well as almost the same description of the applications across these separate accounts. This indicates that this type of fraudulent application variant is easily created and distributed. Actually, the attacker created new developer accounts soon after old accounts were banned due to malware reporting and published almost the same applications with minor changes under these new accounts.

What is worse, the essential part of this fraud occurs on the websites rather than inside the Android application, so there are still risks that the number of victims will increase via web browsing even if these applications are removed from Google Play.

McAfee detects this malware family as Android/OneClickFraud. We also detect and block the web accesses to the URLs used in this series of online fraud to protect users when they encounter the malicious fraud sites using their browsers. Make sure to keep your McAfee security products updated and stay tuned to McAfee Labs blogs for additional information as we continue our investigation.