Man
Professional
- Messages
- 3,070
- Reaction score
- 601
- Points
- 113
Human Security specialists have discovered a fraudulent operation codenamed Konfety. The attackers distribute decoy apps and their malicious counterparts with the CaramelAds advertising SDK through the Google Play Store and other platforms. A total of 250 such apps were discovered.
Details have emerged of a "massive operation" that found at least 250 apps in the Google Play store were being used to commit various malicious activities, including ad fraud.
Experts have named this campaign Konfety, as they associate it with the Russian advertising network CaramelAds. The apps belonging to this group contain a software development kit (SDK) for mobile advertising.
According to a report from HUMAN's threat intelligence group Satori, Konfety is a new form of fraud and information obfuscation in which attackers use "evil doppelgangers" for their legitimate decoy apps available on Google Play and other marketplaces."
Contents
1. New Tactic: “Harmless ↔ Malicious”
2. How the advertising fraud happened
3. What else is known about the Konfety malware campaign
4. In conclusion
To disguise the malicious app as a decoy, the attackers spoofed the latter's ID, as well as the publishers' IDs to display ads. To bypass the blocking, the cybercriminals did not place ads in all decoy apps, and also included a GDPR consent notice.
Both sets of applications - the decoy and the evil twin - run on the same infrastructure, which allowed the scammers to scale their attacks.
According to experts, this tactic of pairing a harmless and malicious application is a new way for attackers to pass off fraudulent traffic as legitimate. Experts add that at its peak, the volume of requests from the malicious Konfety campaign reached 10 billion per day.
In other words, Konfety used the SDK's ad rendering capabilities to commit ad fraud while carefully hiding and making the malicious traffic difficult to detect.
— The first stage. Users who clicked on malicious ads were redirected to domains where they were tricked into downloading malicious applications. Once installed, the malware contacted the C2 server, thus putting the victim's device under the control of the attackers.
— Stage two: Next, an attempt was made to hide the app icon from the user’s device’s home screen and launch the DEX payload, the purpose of which was to perform further fraudulent actions, such as displaying an out-of-context full-screen video ad while the user was on the home screen or using another app.
According to the experts, the network traffic originating from the malicious lookalike apps was functionally identical to the network traffic originating from the decoy apps. The ad impressions displayed by the malicious apps used the package name of the legitimate decoy apps in the request.
But that's not all. Users who installed the malicious apps were urged to add a search bar to their device's home screen, which the scammers used to secretly track search queries. They then sent this data to the domains vptrackme[.]com and youaresearching[.]com.
To reduce the risks associated with both the Konfety campaign and other fraudulent activities, users are advised to download apps only from legitimate app stores and to exercise caution when clicking on suspicious links.
Details have emerged of a "massive operation" that found at least 250 apps in the Google Play store were being used to commit various malicious activities, including ad fraud.
Experts have named this campaign Konfety, as they associate it with the Russian advertising network CaramelAds. The apps belonging to this group contain a software development kit (SDK) for mobile advertising.
According to a report from HUMAN's threat intelligence group Satori, Konfety is a new form of fraud and information obfuscation in which attackers use "evil doppelgangers" for their legitimate decoy apps available on Google Play and other marketplaces."
Contents
1. New Tactic: “Harmless ↔ Malicious”
2. How the advertising fraud happened
3. What else is known about the Konfety malware campaign
4. In conclusion
New Tactic: “Harmless ↔ Malicious”
The decoy apps, which totaled over 250, were harmless and distributed via the Google Play Store, while their evil counterparts were distributed via a malicious advertising campaign. Fraudsters used them to commit ad fraud, track users' search queries, install browser extensions, and download APK code to devices.To disguise the malicious app as a decoy, the attackers spoofed the latter's ID, as well as the publishers' IDs to display ads. To bypass the blocking, the cybercriminals did not place ads in all decoy apps, and also included a GDPR consent notice.
Both sets of applications - the decoy and the evil twin - run on the same infrastructure, which allowed the scammers to scale their attacks.
According to experts, this tactic of pairing a harmless and malicious application is a new way for attackers to pass off fraudulent traffic as legitimate. Experts add that at its peak, the volume of requests from the malicious Konfety campaign reached 10 billion per day.
In other words, Konfety used the SDK's ad rendering capabilities to commit ad fraud while carefully hiding and making the malicious traffic difficult to detect.
How the advertising fraud happened
— Distribution method: According to the report, the twin apps were distributed via a malicious ad campaign that advertised APK mods and other programs, such as Letasoft Sound Booster (an app for increasing volume). Each of these ads contained URLs that led to attacker-controlled domains, hacked WordPress sites, and any other platforms where content could be uploaded and downloaded, including Docker Hub, Facebook* (owned by Meta, which is banned in Russia), Google Sites, and OpenSea.— The first stage. Users who clicked on malicious ads were redirected to domains where they were tricked into downloading malicious applications. Once installed, the malware contacted the C2 server, thus putting the victim's device under the control of the attackers.
— Stage two: Next, an attempt was made to hide the app icon from the user’s device’s home screen and launch the DEX payload, the purpose of which was to perform further fraudulent actions, such as displaying an out-of-context full-screen video ad while the user was on the home screen or using another app.
According to the experts, the network traffic originating from the malicious lookalike apps was functionally identical to the network traffic originating from the decoy apps. The ad impressions displayed by the malicious apps used the package name of the legitimate decoy apps in the request.
What else is known about the Konfety malware campaign
In addition to ad fraud, the malicious CaramelAds SDK forced various websites to open in the browser and sent notifications, thereby tricking users into clicking on fraudulent links.But that's not all. Users who installed the malicious apps were urged to add a search bar to their device's home screen, which the scammers used to secretly track search queries. They then sent this data to the domains vptrackme[.]com and youaresearching[.]com.
In conclusion
Despite all the filters, checks, and fraud tracking tools, cybercriminals continue to find and develop new methods and tactics to commit ad fraud and other malicious activities.To reduce the risks associated with both the Konfety campaign and other fraudulent activities, users are advised to download apps only from legitimate app stores and to exercise caution when clicking on suspicious links.
