Buzz
According to the release note of the malicious app Album of Google Photos on the Microsoft Store: the app is developed by Google LLC and is a smart photo app for users. To visualize, below is a screenshot of the release note of the app on the Microsoft Store page:
Discovery of Fake Google Photos App Impersonating Ad Clicker on Microsoft Store
Given the nature of this advertisement-clicking tool, receiving low user ratings is expected. Some even consider it a counterfeit application, advising users against installation.
— Get Google Photos for Android
— Get Google Photos for iPhone
Advertisement-Click Tool for Google Photos Albums
Google Photos Albums (Album by Google Photos) is a Progressive Web App (PWA) with a user interface similar to Google Photos. However, it integrates advertisement-clicking mechanisms. While running, these mechanisms continuously connect to remote servers, displaying ads in the background to generate revenue and profit for the developer.
The components of the advertisement clicking tool comprise three files residing within the application's directory, including files Block Craft 3D.dll, Block Craft 3D.exe, and Block Craft 3D.xr. Below showcases an image of the files within the directory:
Upon launching the Google Photos application, users will encounter a window prompting them to log in to Google Photos. Fundamentally resembling a legitimate Google window, there are no discernible signs indicating the compromise of user login information. Nevertheless, Mytour advises against logging into Google Photos or one's Google account via this application.
Subsequently, the application will connect to http://11k.online/Ad/constants/9n0wkj6hpz86.json to retrieve the configuration file in the background. This configuration file contains settings regarding the frequency of displaying advertisements, URLs redirecting to advertising websites, and more. Additionally, the configuration file outlines the methods through which advertisements are directly displayed within the application.
After reading the configuration file, the application will connect to 'AdBanner' URLs and showcase them in the background. As depicted in the Fiddler traffic below, the application's traffic is captured when connecting to each advertising URL.
Advertisements are displayed on the background without users' awareness. Hence, even if users hear audio from the advertisements, they remain unaware of their origin. Moreover, no application on the device provides alerts regarding these advertisements.
Upon inspecting URLs from the configuration file, one will notice that the displayed advertisements closely resemble those found in adware. These advertisements encompass technical support scams, pages with unwanted Chrome extensions, fraudulent Java and Flash installers, traffic-purchased blogs, and other low-quality websites.
For instance, below, you can see a technical support advertisement triggered by an application promoting system optimization programs by claiming Windows susceptibility.
It's unclear how this application manages to evade Microsoft's filters while masquerading as a Google application. Regarding Microsoft's stance, the company has yet to respond to this issue. Mytour advises users against installing apps deemed counterfeit. Before installing any app, thoroughly research user reviews and ratings. Refer to guides on installing and using Google Photos on your computer.
Within just one year, DuckDuckGo has surpassed 30 million daily searches, up from 20 million searches. This truly marks a remarkable milestone for the development of this excellent privacy-focused search engine.
