Your browser is obsolete!

The page may not load correctly.

Unexpected guests

Незваные гости

Other issues in this category (70)
  • add to favourites
    Add to Bookmarks

The imitation game

Read: 22231 Comments: 11 Rating: 19

Tuesday, April 7, 2020

Encryption ransomware, banking trojans, and rogue miners are programs with distinct features (the program is launched and its code is executed to accomplish a specific task). But they aren’t the only types of malware. Sometimes attackers need malicious programs to emulate user actions.

User emulation refers to applications that perform the same actions users perform.

This gives an observer or another program the impression that they are dealing with a human being.

Why would somebody want to do something like that? For example, emulation can be used to conduct transactions online, increase an ad’s click count, and mount attacks on online stores.

AuthBot malware programs simulate mouse movements, generate random keystrokes and browse through webpages to emulate user behaviour.

[These malicious programs mount attacks after a user has signed in. These types of attacks include web scaping (gathering data for analysis) as well as checkout abuse and denial of inventory attacks that disrupt the operation of online stores.


Let's assume that someone wants to promote a certain site in the search results. This requires that user activity take place on it. And, preferably, it should look like someone is actually interested in the content, not just loading pages one after another.

Top search engines factor behaviour patterns into their site rankings. Let's assume that site Y is ranked seventh in the search results. If a substantial number of users pick the seventh link first, click on it, and view the website for at least a couple of minutes, the search engine will soon decide that site Y is the most relevant one for this query.

That's why ADRD simulates interested users who enter search queries, click on a certain result instead of the one at the top, and carefully rummage through a site’s content, thus increasing its behavioural score.


Search engines, in turn, actively oppose this.

Services or software programs that imitate user activity have been used to promote your site.


There exists an entire family of similarly acting malicious programs—clicker trojans.

On August 8, Doctor Web reported that as many as 102,000,000 users installed a clicker trojan from Google Play on their Android devices.

Clicker trojans are widespread malicious programs designed to increase website visitation rates and earn money on online traffic. They simulate user actions on webpages by clicking on links and other interactive elements.

The trojan is a malicious module that was dubbed Android.Click.312.origin in accordance with the Dr.Web classification rules. It is built into ordinary applications, such as dictionaries, online maps, audio players, barcode scanners and other software. All these programs work properly and look harmless to users. Additionally, Android.Click.312.origin only starts engaging in malicious activity eight hours after it launches, so as not to raise suspicion.


Software installation

The trojan simulates user actions and installs bogus applications containing ads and other malware to generate a profit for criminals.

This is a very trendy money-making method. We’ve described similar programs:

Doctor Web security researchers discovered a trojan for mobile devices that injects its code into the Google Play process and covertly boosts installation counts in the software catalogue. steals devices' IMEIs and Google account information as well as all sorts of authentication and Google Play authorisation codes and other sensitive information.

Android.Skyfin.1.origin connects to Google Play and imitates user activity in the Play Store app.


Interestingly, trojans imitate anti-virus applications too. Write some five lines of code and then sell it as a nimble anti-virus on Google Play—that's every crook's dream!

Nowadays, legitimate anti-viruses are so abundant that no one can remember all the titles.


So adding another one to the list arouses no suspicion.

In 2010, Google concluded that 50 percent of all malicious programs that spread via ads are fake anti-viruses.


Well, perhaps 50 percent is the result of a hasty calculation, but programs of this kind (genuine anti-viruses regard them as malicious) do exist.

#fraud #fake_bank #psychology #terminology #vulnerability

The Anti-virus Times recommends

The imitation of user actions is also used to counteract criminals. Set up a honeypot server or a system that will mimic an entire corporate network and wait for an attack. One can even reveal in a forum post that this network is vulnerable. And then simulate user activity to make it look like the real thing: open and close documents, run programs, etc.


Tell us what you think

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.