Details have emerged about a "massive ad fraud operation" that leverages hundreds of apps on the Google Play Store to perform a host of nefarious activities.
The campaign has been codenamed Konfety – the Russian word for Candy – owing to its abuse of a mobile advertising software development kit (SDK) associated with a Russia-based ad network called CaramelAds.
"Konfety represents a new form of fraud and obfuscation, in which threat actors operate 'evil twin' versions of 'decoy twin' apps available on major marketplaces," HUMAN's Satori Threat Intelligence Team said in a technical report shared with The Hacker News.
While the decoy apps, totaling more than 250 in number, are harmless and distributed via the Google Play Store, their respective "evil twins" are disseminated through a malvertising campaign designed to facilitate ad fraud, monitor web searches, install browser extensions, and sideload APK files code onto users' devices.
The most unusual aspect of the campaign is that the evil twin masquerades as the decoy twin by spoofing the latter's app ID and advertising publisher IDs for rendering ads. Both the decoy and evil twin sets of apps operate on the same infrastructure, allowing the threat actors to exponentially scale their operations as required.
That having said, not only do the decoy apps behave normally, a majority of them do not even render ads. They also incorporate a GDPR consent notice.
"This 'decoy/evil twin' mechanism for obfuscation is a novel way for threat actors to represent fraudulent traffic as legitimate," HUMAN researchers said. "At its peak, Konfety-related programmatic volume reached 10 billion requests per day."
Put differently, Konfety takes advantage of the SDK's ad rendering capabilities to commit ad fraud by making it a lot more challenging to distinguish malicious traffic from legitimate traffic.
The Konfety evil twin apps are said to be propagated via a malvertising campaign promoting APK mods and other software like Letasoft Sound Booster, with the booby-trapped URLs hosted on attacker-controlled domains, compromised WordPress sites, and other platforms that allow content uploads, including Docker Hub, Facebook, Google Sites, and OpenSea.
Users who end up clicking on these URLs are redirected to a domain that tricks them into downloading the malicious evil twin app, which, in turn, acts as a dropper for a first-stage that's decrypted from the assets of the APK file and is used to set up command-and-control (C2) communications.
The initial stager further attempts to hide the app's icon from the device's home screen and runs a second-stage DEX payload that performs fraud by serving out-of-context, full-screen video ads when the user is either on their home screen or using another app.
"The crux of the Konfety operation lies in the evil twin apps," the researchers said. "These apps mimic their corresponding decoy twin apps by copying their app ID/package names and publisher IDs from the decoy twin apps."
"The network traffic derived from the evil twin applications is functionally identical to network traffic derived from the decoy twin applications; the ad impressions rendered by the evil twins use the package name of the decoy twins in the request."
Other capabilities of the malware include weaponizing the CaramelAds SDK to visit websites using the default web browser, luring users by sending notifications that prompt them into clicking on the bogus links, or sideloading modified versions of other advertising SDKs.
That's not all. Users installing the evil twins apps are urged to add a search toolbar widget to the device home screen, which surreptitiously monitors their searches by sending the data to domains named vptrackme[.]com and youaresearching[.]com.
"Threat actors understand that hosting malicious apps on stores is not a stable technique, and are finding creative and clever ways to evade detection and commit sustainable long term fraud," the researchers concluded. "Actors setting up mediation SDK companies and spreading the SDK to abuse high-quality publishers is a growing technique."
The disclosure comes a little over three months after HUMAN uncovered another malicious Android VPN app campaign dubbed PROXYLIB that leveraged a different SDK from LumiApps to incorporate proxyware functionality without users' consent or knowledge.
"I see exploitation of openly available mobile SDKs, like the one covered in the PROXYLIB investigation and the CaramelAds SDK covered in this investigation as part of a larger trend around more effectively hiding malicious functionality, along the same lines as some of the very well-known supply chain attacks and abuses of legitimate software," Lindsay Kaye, vice president of threat intelligence at HUMAN Security, told The Hacker News.
"As we get more skilled at rooting out malicious behavior and stopping it, threat actors will continue to find new, more effective ways of hiding or persisting their malware, such as through both infecting SDKs and methods such as the 'evil twin' one discussed in this report. I expect we will see new techniques emerge to make this possible."
To mitigate the risks posed by such as Konfety, it's recommended to only download apps from legitimate app stores, ensure that Google Play Protect is enabled, and exercise caution when it comes to clicking suspicious links, Kaye added.
When reached for comment, a Google spokesperson told The Hacker News that the company has been actively monitoring different variations of the evil twin apps on the app storefront and taking steps to safeguard users against the threat.
"Users have been protected against the 'evil twin' apps for over a year with Google Play Protect. Google Play Protect, which is on by default on Android devices with Google Play Services, warns users and disables apps identified to be 'evil twin' apps."
(The story was updated after publication to include additional comments from HUMAN Security.)
