Search This Blog

Showing posts with label Applications. Show all posts

Scylla: Ad Fraud Scheme in 85 Apps with 13 Million Downloads

 

Security researchers have exposed 85 apps involved in the ongoing ad frauds campaign that began in 2019. 75 apps of these apps are on Google Play, while 10 are present on the App store. The apps have collectively more than 13 million downloads to date. 
 
Researchers from HUMAN’s Satori Threat Intelligence have collectively named all the mobile apps that are being identified in the ad fraud campaign as ‘Scylla’.  
 
The malicious apps flooded the mobiles with advertisements, both visible and hidden ads. Additionally, the fraudulent apps garnered revenue by impersonating as legitimate apps in app stores. Although these apps are not seen as severe threats to the users, the adware operators can use them for more malicious activities.  
 
According to the researchers, Scylla is believed to be the third wave of an ad fraud campaign that came to light in August 2019, termed ‘Poseidon’. The second wave, called ‘Charybdis’ led up to the end of 2020. 

The original operation, Poseidon comprised over 40 fraudulent android apps, designed to display out-of-context ads or even ads hidden from the view of mobile users. 
 
The second wave, Charybdis, was a more sophisticated version of Poseidon, targeting advertising platforms via code obfuscation tactics. Scylla apps, on the other hand, expand beyond Android, to charge against the iOS ecosystem. In addition to this, Scylla relies on additional layers of code obfuscation, using Allatori Java obfuscator, making it hard for the researchers to detect or reverse engineer the adware. 
 
These fraudulent apps are engineered to commit numerous kinds of ad frauds, including mimicking popular apps (such as streaming services) to trick advertising SDKs into placing their ads, displaying out-of-context and hidden ads, generating clicks from the unaware users, and generating profit off ads to the operator. 
 
"In layman's terms, the threat actors code their apps to pretend to be other apps for advertising purposes, often because the app they're pretending to be is worth more to an advertiser than the app would be by itself," states HUMAN security. 
 
According to the sources, the researchers have informed Google and Apple about these fraudulent apps, following which the apps are being removed from Google Play and App Store. Users are recommended to simply remove the apps if they have downloaded one of the suspected adware by any chance. 
  
Furthermore, with regards to the increasing frauds, the Satori researchers have suggested certain precautionary measures that could be taken into account for the user to not fall for the adware frauds. It includes examining their apps before downloading them, looking out for apps that you do not remember downloading, and avoiding third-party app stores that could harbor malicious applications.

Nitrokod Crypto Miner Infected 111K+ Users with Replica of Popular Software

 

Nitrokod, a Turkish-speaking entity, has been linked to an ongoing cryptocurrency mining campaign that involves imitating a desktop application for Google Translate in order to infect over 111,000 victims in 11 countries since 2019. 

Maya Horowitz, vice president of research at Check Point, said in a statement shared with The Hacker News, "The malicious tools can be used by anyone. They can be found by a simple web search, downloaded from a link, and installation is a simple double-click." 

The victims come from the United Kingdom, the United States, Sri Lanka, Greece, Israel, Germany, Turkey, Cyprus, Australia, Mongolia, and Poland. The campaign involves the distribution of malware via free software hosted on popular websites such as Softpedia and Uptodown. 

To evade detection, the malware postpones execution for weeks and distinguishes its malicious activity from the downloaded fake software. Following the installation of the infected program, an update executable is deployed to the disc, launching a four-stage attack sequence with each dropper paving for the next, until the actual malware is dropped in the seventh stage.

When the malware is executed, a connection is established to a remote command-and-control (C2) server to retrieve a configuration file to begin the coin mining activity.

The free fake software offered by the Nitrokod campaign is for services that do not have an official desktop version, such as Yandex Translate, Microsoft Translate, YouTube Music, MP3 Download Manager, and Pc Auto Shutdown.

Furthermore, the malware is dropped nearly a month after the initial infection, by which time the forensic trail has been erased, making it difficult to deconstruct the attack and detect it back to the installer.

Horowitz concluded, "What's most interesting to me is the fact that the malicious software is so popular, yet went under the radar for so long. The attacker can easily choose to alter the final payload of the attack, changing it from a crypto miner to, say, ransomware or banking trojan."

Facebook Ads Push Android Adware, Installed 7M Times on Google Play Store

 

Several adware programmes marketed aggressively on Facebook as system cleansers and optimizers for Android devices have accumulated millions of downloads from the Google Play store. 

The applications lack all of the advertised functionality and push adverts while attempting to stay on the device for as long as possible. To avoid deletion, the applications regularly change their icons and names, posing as Settings or the Play Store itself. 

Adware applications make use of the Android component Contact Provider, which allows them to transport data between the device and web services. Because the subsystem is contacted whenever a new programme is installed, the adware might exploit it to start the ad-serving process. It may appear to the user that the advertising is being pushed by the legitimate app they installed. 

McAfee researchers found the adware applications. They point out that customers do not need to activate them after installation to see the advertising because the adware runs automatically without user intervention. The first thing these intrusive apps do is set up a permanent service for displaying adverts. If the process is "killed" (terminated), it instantly restarts. 

This video demonstrates how the adware's name and icon change automatically and how ad-serving occurs without user intervention. 

According to McAfee's analysis, consumers are persuaded to believe the adware applications because they see a Play Store link on Facebook, leaving little room for uncertainty. As a result, exceptionally high download counts for the specific type of apps have emerged, as shown below:
  • Junk Cleaner, cn.junk.clean.plp, 1M+ downloads
  • EasyCleaner, com.easy.clean.ipz, 100K+ downloads
  • Power Doctor, com.power.doctor.mnb, 500K+ downloads
  • Super Clean, com.super.clean.zaz, 500K+ downloads
  • Full Clean -Clean Cache, org.stemp.fll.clean, 1M+ downloads
  • Fingertip Cleaner, com.fingertip.clean.cvb, 500K+ downloads
  • Quick Cleaner, org.qck.cle.oyo, 1M+ downloads
  • Keep Clean, org.clean.sys.lunch, 1M+ downloads
  • Windy Clean, in.phone.clean.www, 500K+ downloads
  • Carpet Clean, og.crp.cln.zda, 100K+ downloads
  • Cool Clean, syn.clean.cool.zbc, 500K+ downloads
  • Strong Clean, in.memory.sys.clean, 500K+ downloads
  • Meteor Clean, org.ssl.wind.clean, 100K+ downloads
The majority of impacted users are from South Korea, Japan, and Brazil, however, the adware has regrettably spread globally. The adware applications have been removed from the Google Play Store. Users who installed them, on the other hand, must manually delete them from the device.

Despite their limited advantages, system cleansers and optimizers are popular software categories. Cybercriminals know that many people would attempt such methods to extend the life of their gadgets, thus they disguise dangerous software as such.