Details have emerged about a “massive ad fraud operation” that leverages hundreds of apps on the Google Play Store to perform a host of nefarious activities.
The campaign has been codenamed Konfety – the Russian word for Candy – owing to its abuse of a mobile advertising software development kit (SDK) associated with a Russia-based ad network called CaramelAds.
“Konfety represents a new form of fraud and obfuscation, in which threat actors operate ‘evil twin’ versions of ‘decoy twin’ apps available on major marketplaces,” HUMAN’s Satori Threat Intelligence Team said in a technical report shared with The Hacker News.
While the decoy apps, totaling more than 250 in number, are harmless and distributed via the Google Play Store, their respective “evil twins” are disseminated through a malvertising campaign designed to facilitate ad fraud, monitor web searches, install browser extensions, and sideload APK files code onto users’ devices.
The most unusual aspect of the campaign is that the evil twin masquerades as the decoy twin by spoofing the latter’s app ID and advertising publisher IDs for rendering ads. Both the decoy and evil twin sets of apps operate on the same infrastructure, allowing the threat actors to exponentially scale their operations as required.
That having said, not only do the decoy apps behave normally, a majority of them do not even render ads. They also incorporate a GDPR consent notice.
“This ‘decoy/evil twin’ mechanism for obfuscation is a novel way for threat actors to represent fraudulent traffic as legitimate,” HUMAN researchers said. “At its peak, Konfety-related programmatic volume reached 10 billion requests per day.”
Put differently, Konfety takes advantage of the SDK’s ad rendering capabilities to commit ad fraud by making it a lot more challenging to distinguish malicious traffic from legitimate traffic.
The Konfety evil twin apps are said to be propagated via a malvertising campaign promoting APK mods and other software like Letasoft Sound Booster, with the booby-trapped URLs hosted on attacker-controlled domains, compromised WordPress sites, and other platforms that allow content uploads, including Docker Hub, Facebook, Google Sites, and OpenSea.
Users who end up clicking on these URLs are redirected to a domain that tricks them into downloading the malicious evil twin app, which, in turn, acts as a dropper for a first-stage that’s decrypted from the assets of the APK file and is used to set up command-and-control (C2) communications.
The initial stager further attempts to hide the app’s icon from the device’s home screen and runs a second-stage DEX payload that performs fraud by serving out-of-context, full-screen video ads when the user is either on their home screen or using another app.
“The crux of the Konfety operation lies in the evil twin apps,” the researchers said. “These apps mimic their corresponding decoy twin apps by copying their app ID/package names and publisher IDs from the decoy twin apps.”
“The network traffic derived from the evil twin applications is functionally identical to network traffic derived from the decoy twin applications; the ad impressions rendered by the evil twins use the package name of the decoy twins in the request.”
Other capabilities of the malware include weaponizing the CaramelAds SDK to visit websites using the default web browser, luring users by sending notifications that prompt them into clicking on the bogus links, or sideloading modified versions of other advertising SDKs.
That’s not all. Users installing the Evil Twins apps are urged to add a search toolbar widget to the device home screen, which surreptitiously monitors their searches by sending the data to domains named vptrackme[.]com and youaresearching[.]com.
“Threat actors understand that hosting malicious apps on stores is not a stable technique, and are finding creative and clever ways to evade detection and commit sustainable long term fraud,” the researchers concluded. “Actors setting up mediation SDK companies and spreading the SDK to abuse high-quality publishers is a growing technique.”
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.