38 different Android apps committing ad fraud. These apps included beauty camera and photo editing applications as well. In all, the apps boasted a whopping 20 million downloads altogether.
Describing the types of frauds committed by the apps, there are three different types.
- Out-of-Context (OOC) Ads: That is, showed ads to the users sourced from various ad networks.
- Out-of-Context Navigation: Redirecting users to various links as instructed by the C&C.
- App Icon Removal: Removing the app icon from the users’ device, following installation, thus going stealth.
While this isn’t new for such apps to target Google Play Store, what’s different with this campaign is the hiding of malicious codes. This action seemed an attempt to ensure persistent existence on the Play Store whilst ditching the Play Store’s security. To do so, the attackers included extra Dalvik Executables (DEX) files in the APKs in an obfuscated manner to ditch detection.
The threat actors exploited Arabic and Chinese characters for this obfuscation to create confusion about the origin of the authors, they transforming their apps to legit versions, they couldn’t figure out the exact reason. However, a possible reason behind this activity may be that the attackers strive to evade detection and plan to reinstall the malicious code later. Anyhow, White Ops, following this discovery, reached out to Google, following which, Google removed all apps from the Play Store.