Tuesday, December 5, 2023

Over 75 Applications on Google Play with 13M Installations Deliver Adware

Researchers from HUMAN’s Satori Threat Intelligence team found a new adware operation named ‘Scylla’, which is the third wave of an attack reported in August 2019 dubbed ‘Poseidon’. The second wave, indeed from the same threat actor, was called ‘Charybdis’ and cropped up in late 2020.

Reports say Apps related with Scylla operation have been downloaded 13+ million times. Experts identified 75+ Android apps and 10+ iOS apps engaged in advertising fraud. 

The Working of Scylla

Satori team found that the Scylla apps use a bundle ID spoofing as primary fraud mechanism.

“Our PARETO investigation, for example, uncovered 29 Android apps that were pretending to be more than 6,000 CTV-based apps, which generally carry higher prices for advertisers than the average mobile game”, says HUMAN’s Satori Threat Intelligence team.

In the apps in the Scylla operation are instructed which bundle ID to use by a remote command-and-control (C2) server. Therefore, it tells the app which bundle ID to dynamically insert in the code.

C2 response with designated ID to be used by the app
Response from C2 server with spoofing instructions

Also, , the ads are loaded in hidden WebView windows, here so the victim never gets to notice anything suspicious, as it all happens in the background.

UI elements identifying the location of webviews for ads
UI elements identifying the location of webviews for ads

Researchers explain fake clicks have many advantages for the fraudster: for ad networks that bill on a views model, clicks demonstrate effectiveness, which makes advertisers want to stick around. But some other ad networks bill by the click, which incentivizes the fraudster to just fake the clicks to get paid.

Generating a fake click on the invisible advertisement

The adware also uses a “JobScheduler” system to trigger ad impression events when the victims aren’t actively using their devices. Researchers say Scylla apps rely on additional layers of code obfuscation using the Allatori Java obfuscator. This makes detection and reverse engineering more hard for researchers.

Therefore, Human is recommending users remove the fraudulent apps if present on their devices.

iOS App List:

  • Loot the Castle – com.loot.rcastle.fight.battle (id1602634568)
  • Run Bridge – com.run.bridge.race (id1584737005)
  • Shinning Gun – com.shinning.gun.ios (id1588037078)
  • Racing Legend 3D – com.racing.legend.like (id1589579456)
  • Rope Runner – com.rope.runner.family (id1614987707)
  • Wood Sculptor – com.wood.sculptor.cutter (id1603211466)
  • Fire-Wall – com.fire.wall.poptit (id1540542924)
  • Ninja Critical Hit – wger.ninjacriticalhit.ios (id1514055403)
  • Tony Runs – com.TonyRuns.game

Android App List (1+ million downloads)

  • Super Hero-Save the world! – com.asuper.man.playmilk
  • Spot 10 Differences – com.different.ten.spotgames
  • Find 5 Differences – com.find.five.subtle.differences.spot.new
  • Dinosaur Legend – com.huluwagames.dinosaur.legend.play
  • One Line Drawing – com.one.line.drawing.stroke.yuxi
  • Shoot Master – com.shooter.master.bullet.puzzle.huahong
  • Talent Trap – NEW – com.talent.trap.stop.all

The full list of applications part of the Scylla ad-fraud wave is available in HUMAN’s report.

Download Free SWG – Secure Web Filtering – E-book


Latest articles

Hackers Use Weaponized Documents to Attack U.S. Aerospace Industry

An American aerospace company has been the target of a commercial cyberespionage campaign dubbed...

Active Attacks Targeting Google Chrome & ownCloud Flaws: CISA Warns

The CISA announced two known exploited vulnerabilities active attacks targeting Google Chrome & own...

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense...

Hackers Bypass Antivirus with ScrubCrypt Tool to Install RedLine Malware

The ScrubCrypt obfuscation tool has been discovered to be utilized in attacks to disseminate the RedLine Stealer...

Hotel’s Booking.com Hacked Logins Let Attacker Steal Guest Credit Cards

According to a recent report by Secureworks, a well-planned and advanced phishing attack was...

Critical Zoom Vulnerability Let Attackers Take Over Meetings

Zoom, the most widely used video conferencing platform has been discovered with a critical...

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles