Windows 10 News and info | Forum
November 12, 2018, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances.
 
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
  Print  
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: Ad Clicker Hiding as Google Photos App Found in Microsoft Store  (Read 49 times)
javajolt
Administrator
Hero Member
*****
Offline Offline

Gender: Male
United States United States

Posts: 29153


I Do Windows


WWW Email
« on: October 14, 2018, 05:37:24 PM »
ReplyReply

A malicious app called "Album by Google Photos" was found in the Microsoft Store today that pretends to be from Google. This app pretends to be part of Google Photos but is actually an ad clicker that repeatedly opens hidden advertisements in Windows 10.

This free Album by Google Photos app claims to be created by Google LLC and has a description of "Finally, a photos app that's as smart as you.".  You can see an image of its Microsoft Store page below.


Microsoft Store Page

As this is an ad clicker, the reviews for the app are not very good. One review calls it a "Fake App" and another is titled "Fake, do not install".


Reviews

Below we will dig down and explain how the ad clicker works and the types of advertisements that are displayed.

The Album by Google Photos Ad Clicker

The Album by Google Photos app is a PWA app (progressive web app) that acts as a front end to Google Photos, but with a bundled ad clicker. While the app is running, this ad clicker will repeatedly connect to remote hosts and display advertisements in the background in order to generate revenue for the developers.

The ad clicker component consists of three files located in the app's folder called Block Craft 3D.dll, Block Craft 3D.exe, and Block Craft 3D.xr. You can see these files in the image of the folder below.


Album by Google Photos Folder

When a user starts the Album by Google Photos app they will be greeted by a screen asking them to log in to Google Photos. This is a legitimate login screen from Google and though I did not see any indications that your logins are being stolen, I would still not advise logging into Google Photos with this app.


Google Photos Login Page

In the background, the app will then connect to http://11k.online/Ad/constants/9n0wkj6hpz86.json and download a configuration file. This configuration file, shown below, contains settings on how often ads should be displayed, the URLs to the advertisement pages, and more. The configuration file also indicates that ads may be displayed directly in the app, but BleepingComputer did not see any when testing the app.


Part of the Configuration File

After the app reads the configuration file, it will connect to the various "AdBanner" URLs and display them in the background. You can see in the Fiddler traffic below the app connecting to each of the ad URLs.


Fiddler Traffic

When displaying an advertisement, it will do so in the background and not display it to the user. So if the advertisement has audio, like a tech support scam, the user will hear it but not be able to see where it is coming from. This can be eerie when your computer starts telling you that it is infected because of a tech support scam ad, but you see no indication what application is generating the warning.

When testing the ad URLs from the configuration file, the advertisements that were displayed were very similar to what we would see from adware. These ads included tech support scams, tons of pages pushing unwanted Chrome extensions, fake Java and Flash installers, blogs who are buying traffic, and other low-quality sites.

For example, below you can see a tech support scam opened by the app that is pushing an unwanted system optimizer program by stating Windows is vulnerable.


Example of a hidden ad

It is not known how an app like this could have passed the review process by Microsoft considering it pretends to be from Google. Furthermore, as the reviews state that this is malware or malicious, you would think it would have triggered an alert to review it further.

BleepingComputer has contacted Microsoft with questions regarding the review process but had not heard back from Microsoft by the time of this publication. This article will be updated with Microsoft's statement if we hear back from them.

source
« Last Edit: October 15, 2018, 02:17:58 PM by javajolt » Logged



Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page October 17, 2018, 04:06:52 AM