PreAMo

PreAMo is a Trojan clicker that uses your hardware for generating fake advertising traffic. While not as harmful as most Trojans, nor disruptive to your browsing experience like adware, it is a security risk and should be uninstalled. Anti-malware products suitable for an Android environment should remove PreAMo safely, which installs itself through corrupted phone applications.

Advertising Attacks with Three Agency Specialties

The booming smartphone industry means a corresponding boom in Black Hat phone applications, which use various means of compromising phone owners for purposes ranging from ransoming files like the Sauron Locker Ransomware to snatching secret information, like the Exodus Malware. PreAMo is a new and, presumably, highly-profitable example of yet a third kind of payload for phone environments: advertising fraud. Unfortunately, it also is at fifty plus million downloads on the official Google Play store.

PreAMo's installations took place through a series of separate applications for cameras, flashlights, and several system cleaner tools, all of which appear to have connections to DO Global, a Chinese application developer. They attracted initial interest from Buzzfeed due to their combination of high download numbers and unusually-large permissions requests for user data. However, further joint research, facilitated by the AV industry, turned up PreAMo's software inside of them.

PreAMo is more than unusual, but a genuine sub-variety of Trojan. Malware analysts outline how its basic structure implies significant familiarity of its developers with Web advertising practices since its compartmentalized trio of components includes separate methods of handling fraud for three agencies: Presage, AdMob and Mopub. Each section of code creates fake clicks on advertising banners for those companies, which creates money per click for the threat actors. The knowledge it leverages goes so far as to inject Trojan code into the agency's open-source library, where it's applicable, replacing default Web clients, and layering different callbacks for detecting advertisements.

Preempting a 'Mo' Advertisements, Mo' Problems' Infection

PreAMo doesn't display advertisements for users, unlike adware. Since its purpose is hiding as long as possible while it's silently generating ad revenue, it has few to no symptoms. However, Android phone users can check their installed applications for any names that match the lists of known PreAMo installers. Although the Google Play store has had these applications removed, more may be unidentified and available.

In general, malware experts recommend avoiding application downloads that aren't from trusted sources, although, in this case, it's an imperfect precaution. Other, general guidelines that phone users can follow for reducing their risk from corrupted applications include:

• Double-checking the reviews and comments for an application download can help users identify potential symptoms of suspicious behavior from applications that look legitimate.
• Be careful around links from sources that you aren't sure are safe, especially, including 'shortened' URLs that hide their complete addresses. This warning encompasses social media platforms, e-mail, and even SMS messaging.
• Keep an up-to-date and active security solution for your phone that's compatible with the OS, such as Android.

Many AV vendors should block all PreAMo variants or uninstall it properly, since malware researchers find no code implying advanced anti-detection or removal prevention, like kernel-level privileges.

PreAMo creates hard questions about the nature of advertising and business across borders that requires equally-harsh answers. When millions of users around the world are installing Chinese digital assistant applications that perform tasks they're not letting the user know about, the money that advertising reaps becomes a sword that cuts back on its wielder.