Introduction
Dubsmash is a mobile app to create short "selfie" videos dubbed with famous sounds. It is extremely popular and is currently ranked #10 under Top free Android apps. The users of this app include many well known celebrities who eventually post the dubbed videos on popular social networking platforms like Facebook and Twitter.
The popularity of this app has caught the attention of the malware authors too, which is evident with a string of Trojan Porn Clicker apps disguised as Dubsmash posted on the Google Play Store in the past month (covered in
ESET and
AVAST blogs). The malicious apps mentioned in those blogs were quickly taken down by Google. However, we continue to see newer variants of the same malware family being uploaded to the Google Play store with the latest one posing as Dubsmash V3.
 |
| Google Play - Trojan Porn Clicker app |
Although the malicious app poses as Dubsmash, the icon that the user sees upon installation imitates Settings, Memory Game, or a Flappy Bird app. The newest iteration of this malicious app has already been downloaded nearly 5,000 times.
 |
| Fake App Icon |
The malware automatically removes the icon once the user quits the application for the first time, however it continues to run in the background as seen below.
 |
| Porn Clicker Process |
Porn Clicker analysis
The purpose of this malware is to generate revenue for the malware author by generating clicks on the adult porn websites. While this may be good news that the user's credentials or sensitive information are not being stolen, it can still lead to financial loss for the end users through increased mobile data usage.
The Porn Clicker variants described in the previous blogs involved hardcoded, encrypted porn URLs in the malicious APK, whereas we are now seeing the newer variant dynamically retrieving the porn URLs from a remote server.
 |
| Clicking activity |
The malicious app in our case contained two hardcoded URLs shown in the screenshot below:
 |
| Porn Clicker remote servers |
Preconfigured URLs:
- memr[.]oxti.org/g/getasite/ - The malicious app will get a new porn URL to visit from this location.
- memr[.]oxti.org/z/z2/ - This location currently serves JavaScript code that will result in a random click on the porn site that gets visited by the app.
Screenshots below show the porn URLs that are dynamically retrieved by the malicious app from the first location.
 |
| Porn URL1 |
 |
| Porn URL2 |
 |
| Porn URL3 |
JavaScript leveraged by the malicious app from a remote location to perform click fraud is shown in the screenshot below.
 |
| JavaScript - Random Click |
It appears that the malware author keeps uploading and removing the same app on the Google Play store under different accounts. During the course of this write up, we saw the following two variations:
- Dubsmash V3 [Package name: com.memr.gamess] - has been removed
- Dubsmash 2 [Package name: com.jet.dubsh] - still active
Conclusion
The first variant of the Porn Clicker app masquerading as Dubsmash was reported in April, 2015 and it is concerning to see newer variants of the same malware slipping through Google's app vetting process even today. The malware authors are still targeting Dubsmash as a disguise to trick end users into downloading the malicious app.
It is highly recommended for users to check the reviews & ratings of the apps, even when downloading them from official Google Play store. If you are infected with such an app, you can delete it by going to
Settings >Apps > (AppName).
Write-up by: Viral Gandhi & Deepen Desai
