An IT security company found advertising fraud apps on Google Play and the Apple Store totaling 13.8 million downloads.
The IT security company Human has uncovered an advertising fraud campaign that abuses apps for android and iOS. The fraudsters add functions to the “Scylla” scam in order to display more advertising and commit click fraud. It’s about 75+ apps for Android and 10+ iOS apps. They got more than 13 million downloads before Google and Apple removed them from stores.
Peculiarities of the malware
In their analysis, the IT security researchers explain that the apps use so-called receivers that inform the apps about certain events; for example, that a smartphone is put into flight mode. The criminal masterminds have used receivers in this way to detect the presence of a user and then display advertisements either without context or even invisibly.
Such contextless advertising pops up on the start screen in the launcher, for example, without an app having been started and linked to it. Such pop-up advertisements are generally an indication of unwanted software on the cell phone.
The invisibly faded-in advertising with web views in the background is also intended to increase revenue. Since clicked ads bring much more revenue, the malicious apps can even click on the invisible ads. In doing so, they attack multiple advertising SDKs, both on iOS and Android.
But the optimizations go further, Human explains in the report. Since the malware apps are mostly games that generate less advertising revenue than streaming services, for example, the apps fake their app and bundle ID for the advertising SDK and pose as a “more lucrative” app for the advertisers .
To make detection more difficult, the malware app programmers also use Allatori code obfuscation, which replaces code elements with individual letters and numbers. This complicates an analysis of the functions.
Apple and Google have already removed the apps from their software stores. However, since users may have installed them from other sources, Human provides so-called Indicators of Compromise in the report. Depending on the platform, these include the app name, bundle name and SHA256 hash. Users should uninstall these apps from their smartphone.
Malware keeps appearing on smartphones, despite all the security measures in the manufacturers’ app stores. The Android Trojan Harly recently had 4.8 million downloads. After all, Apple and Google quickly remove apps identified as malicious both from the stores and from affected smartphones.
