More than 250 apps from Google Play are used to hide “malicious twin apps” and ad fraud

mobile phones, 18.07.2024, 12:00 PM

Researchers from HUMAN Security have discovered a massive ad scam that uses hundreds of apps in the Google Play Store as decoys.

The campaign was named Confetti (in Russian kcandies – candy) for abusing the Mobile Advertising Software Development Kit (SDK) associated with the Russian ad network CaramelAds.

While the more than 250 decoy apps are harmless and distributed through the Google Play Store, their ad-distributed “evil twins” are designed to facilitate ad fraud, monitor web searches, install browser extensions and upload APK files to users’ devices.

Both decoy apps and twin apps run on the same infrastructure, allowing fraudsters to exponentially scale their operations as needed.

The decoy apps behave normally, most of them don’t even show ads, and also most have a GDPR compliance notice.

This decoy/evil twin mechanism is a new way for fraudsters to pass off fake traffic as legitimate.
The twin apps are being propagated through a campaign that promotes APK mods and other software such as Letasoft Sound Booster, with URLs located on attacker-controlled domains, compromised WordPress sites, and other platforms that allow uploading content, including Docker Hub, Facebook, Google Sites and OpenSea.

Users who click on these URLs are redirected to a domain where they will be tricked into downloading a malicious Blzan application, which functions as a dropper and is used to establish communication with the server.

The app icon is removed from the device’s home screen and a second-stage malware attack is launched that displays full-screen video ads out of context, when the user is on the home screen or using another app.

“The essence of Operation Konfety lies in the twin evil apps,” the researchers said. “These apps mimic the corresponding decoy twins by copying their app IDs/package names and publisher IDs from the decoy twins.”

“Network traffic derived from evil-twin applications is functionally identical to network traffic derived from decoy-twin applications; ad views showing evil twins use the twin-bait package name in the request.”

These applications are also responsible for visiting websites through the default web browser, sending notifications that encourage users to click on links, or sideloading modified versions of other ad SDKs.

Users are encouraged to add a widget with search tools to their device’s home screen, which secretly monitors their searches.

The researchers say fraudsters are apparently “finding creative and clever ways to avoid detection and commit sustainable long-term fraud”.

On the other hand, Google says that it monitors various variations of twin apps and takes steps to protect users from this threat. According to Google, users have been protected from such apps for more than a year using Google Play Protect, which is turned on by default on Android devices with Google Play Services, warns users and disables apps that are found to be “evil twin” apps.

Photo: Yura Fresh | Unsplash