Japanese One-Click Scammers Abuse Mobile Traffic Exchange Service

McAfee has been monitoring and reporting extensively on one-click-fraud malware for Android in Japan this year. These attacks, primarily on Google Play, have become more active recently. We have found about 400 fraudulent apps in July alone. We consistently report these issues to Google, which promptly revokes the apps, but the scammers never stop uploading the malware.

The scammers host many one-click-fraud websites, and the Android applications trick users into visiting the sites and paying a service fee. In typical cases, the sites request users to pay money for service registration after several clicks. In other cases, users are required to make a phone call to the service for authentication and registration, after which the scammer calls them back or sends SMS messages to their numbers to request payment if the users refuse to pay a service fee.

Today we found an application on Google Play that can lead users to those fraudulent websites in a different way. In this application, a mobile “traffic exchange service” redirects users to a selected website that has been registered as a member of the service. A traffic exchange service allows site owners to secure visitors by buying traffic or in exchange for leading users to other members’ sites.

 

gpocf-mte-app-1

 

The application displays a link button with the fixed URL “http://mobile.p[BLOCKED]h.com/porn12345.com/3coq/direct” at the top of the screen, and the user is redirected to one of the registered websites by clicking on the link.

 

gpocf-mte-app-2

 

It seems this is just a harmless application and published by a non-Japanese developer targeting worldwide users. It is not clear whether this application is developed with malicious intent, but we have confirmed that Japanese users are redirected with a very high probability to one-click-fraud sites hosted by the scammers. This might be because the service is aware of the location/language of visitors or the scammers might be buying or exchanging a substantial amount of traffic to increase the visit count for their own sites. At least this shows that the one-click scammers have registered their fraudulent sites in the traffic exchange service and are abusing the mechanism by expecting many mobile users in Japan will visit their sites.

 

gpocf-mte-app-3a

gpocf-mte-app-3b

gpocf-mte-app-3c

gpocf-mte-app-3d

gpocf-mte-app-3e

 

This traffic exchange service itself seems a legitimate one, though it is known that the service is often used to generate free traffic to adult sites. Therefore, we cannot easily detect and block the use of this kind of service in an application as malicious activity. Users should be always careful about sites they are redirected to and also should know how one-click-fraud scammers deceive their visitors. If you reach such sites accidentally, simply ignore the service registration notice and payment request.

McAfee registers such malicious websites in our URL reputation database immediately so that McAfee Mobile Security can block web access.