Called massive ad fraud and click fraud operations, Slopads ran a cluster of 224 apps, attracting 308 million downloads in 228 countries and regions.
“These apps use steganography to provide fraud payloads, create hidden web views, navigate to threaten actor-owned cash out sites, and generate impressions and clicks of fraudulent ads,” the Human’s Satori Threat Intelligence and Research team said in a report shared with Hacker News.
The name “Slopads” gives a nod to the mass-productivity potential of apps and the use of artificial intelligence (AI)-themed services such as StabledIffsion, Aiguide, and ChatGlm hosted by threat actors on Command-and-Control (C2) servers.
The company said the campaign accounted for 2.3 billion bid requests per day at its peak, with traffic mainly from the Slopads app originating from the US (30%), India (10%) and Brazil (7%). Since then, Google has removed all the problem apps from the Play Store, effectively confusing the threat.
What sets your activity apart is when Slopads-related apps are downloaded, by querying the Mobile Marketing Attribution SDK to see if they were downloaded directly from the Play Store (i.e. organically) or if they are the result of users (IE, non-operational) who clicked on the ads redirected to the Play Store list.
The fraudulent behavior only starts in scenarios where the app is downloaded after ad clicks, downloading the ad fraud module, Fatmodule, from the C2 server. On the other hand, if it was originally installed, the app will work as advertised on the App Store page.
“From developing and publishing apps that have committed fraud under certain circumstances to adding layers above the obfuscation layer, Slopads reinforces the notion that threats to the digital advertising ecosystem are merely sophisticated,” the human researcher said.
“This tactic creates a more complete feedback loop for threat actors and only causes fraud if there is reason to believe the device has not been investigated by security researchers. It fuses malicious traffic into legitimate campaign data, complicating detection.”
Fatmodule is delivered by four PNG image files that hide the APK, decrypted, reassembled and enforced AD scams using hidden WebViews to collect device and browser information.
“One cash-out mechanism for Slopads is through HTML5 (H5) games and news websites owned by threat actors,” the human researcher said. “These gaming sites frequently display ads and hide the WebView on which the site is loaded, allowing sites to monetize the impressions and clicks of many ads before the WebView closes.”
Domains promoting the Slopad app are known to link to another domain AD2[.]CC functions as a Tier-2 C2 server. Overall, an estimated 300 domains have been identified that promote such apps.
This development will be just over two months after humans flag another set of 352 Android apps as part of the AD fraud scheme’s codename ICONADS.
“Slopads highlights the evolving refinement of mobile ad fraud, including the execution of stealth conditional fraud and the ability to quickly scale,” said Gavin Reid, CISO at Human.
Source link
