Researchers from HUMAN’s Satori Threat Intelligence team found a new adware operation named ‘Scylla’, which is the third wave of an attack reported in August 2019 dubbed ‘Poseidon’. The second wave, indeed from the same threat actor, was called ‘Charybdis’ and cropped up in late 2020.
Reports say Apps related with Scylla operation have been downloaded 13+ million times. Experts identified 75+ Android apps and 10+ iOS apps engaged in advertising fraud.
Satori team found that the Scylla apps use a bundle ID spoofing as primary fraud mechanism.
“Our PARETO investigation, for example, uncovered 29 Android apps that were pretending to be more than 6,000 CTV-based apps, which generally carry higher prices for advertisers than the average mobile game”, says HUMAN’s Satori Threat Intelligence team.
In the apps in the Scylla operation are instructed which bundle ID to use by a remote command-and-control (C2) server. Therefore, it tells the app which bundle ID to dynamically insert in the code.
Also, , the ads are loaded in hidden WebView windows, here so the victim never gets to notice anything suspicious, as it all happens in the background.
Researchers explain fake clicks have many advantages for the fraudster: for ad networks that bill on a views model, clicks demonstrate effectiveness, which makes advertisers want to stick around. But some other ad networks bill by the click, which incentivizes the fraudster to just fake the clicks to get paid.
The adware also uses a “JobScheduler” system to trigger ad impression events when the victims aren’t actively using their devices. Researchers say Scylla apps rely on additional layers of code obfuscation using the Allatori Java obfuscator. This makes detection and reverse engineering more hard for researchers.
Therefore, Human is recommending users remove the fraudulent apps if present on their devices.
The full list of applications part of the Scylla ad-fraud wave is available in HUMAN’s report.
Download Free SWG – Secure Web Filtering – E-book
GitLab has announced the release of critical security updates for its Community Edition (CE) and…
Multiple Xerox printer models, including EC80xx, AltaLink, VersaLink, and WorkCentre, have been identified as vulnerable…
Cisco has issued a critical security advisory regarding a vulnerability in its Adaptive Security Appliance…
Google has released several security patches for its Chrome browser, addressing critical vulnerabilities that malicious…
Grayscale Investments, a prominent crypto asset manager, has reportedly suffered a data breach affecting 693,635…
A database containing over 1,000 email accounts associated with the National Health Service (NHS) has…