Cybersecurity researchers have warned about a massive ad fraud campaign that offers hundreds of malicious apps published on the Google Play Store, offering full-screen ads and leveraging hundreds of malicious apps to carry out phishing attacks.
“The app will even display ads outside of context and try to persuade the victim to provide credentials and credit card information in a phishing attack,” Bitdefender said in a report shared with Hacker News.
Activity details were first disclosed earlier this month by Integrated Advertising Science (IAS) and documented the discoveries of over 180 apps designed to deploy endless, disturbing, full-screen interstitial video ads. The ad fraud scheme was codename steam.
The apps, which were removed by Google, collectively accumulated over 56 million downloads under the guise of legitimate apps, generating over 200 million bid requests every day.
“The scammers behind the Vapor operations create multiple developer accounts, each hosting only a handful of apps to distribute the operations and avoid detection,” IAS Threat Lab said. “This distributed setup ensures that takedowns for a single account have minimal impact on the overall operation.”
By mimicking seemingly harmless utilities, fitness and lifestyle applications, this operation was able to successfully install unconscious users.
Another important aspect is that we know that threat actors employ a sly technique called versions. This will expose malicious features to the functional app that will pass Google’s review process. The feature will be removed in subsequent app updates, and ads will appear in the way.
Additionally, the ads hijack the entire screen of the device, preventing the victim from using the device, making it almost inoperable. The campaign is believed to have begun around April 2024, before expanding earlier this year. Over 140 fake apps have been uploaded to the Play Store in October and November alone.
The latest findings from Romanian cybersecurity companies show that the campaign is bigger than previously thought, featuring up to 331 apps with a total of over 60 million downloads.
In addition to hiding app icons from the launcher, it has also been observed that some of the identified applications attempt to collect credit card data and user credentials for online services. Malware can also remove device information from attacker-controlled servers.
Another technique used to avoid detection is to use Leanback Launcher, a type of launcher designed specifically for Android-based TV devices, and to change your own name and icon by impersonating Google Voice.
“The attackers found a way to hide app icons from launchers that are restricted to new Android iterations,” says Bitdefender. “Even though it’s technically impossible on Android 13, the app can start without user interaction.”
The campaign is considered to be the work of either a single threat actor or multiple cybercriminals who use the same packaging tools sold in underground forums.
“The applications under investigation bypass the security restrictions on Android, launching activities even if they are not running in the foreground, and spams users with continuous, full-screen ads if they don’t have the necessary permissions,” the company added. “The same behavior is used to provide a UI element that features phishing attempts.”
Source link
