‘Konfety’ Ad Deception Exploits 250+ Google Play Decoy Apps to Conceal Malicious Twins
Recently uncovered information relates to an “extensive ad deceit scheme” that employs numerous applications on the Google Play Store to execute a range of malicious operations.
The operation has been given the codename Konfety – named after the Russian word for Candy – due to its exploitation of a mobile advertising software development kit (SDK) linked to a Russia-based advertising network known as CaramelAds.
“Konfety introduces a fresh form of fraud and veiling, in which malicious actors operate ‘wicked replicate’ versions of ‘distraction replicate’ apps accessible on major marketplaces,” stated HUMAN’s Satori Threat Intelligence Team in a detailed report shared with The Hacker News.
While the distraction apps, exceeding 250 in total, are harmless and distributed through the Google Play Store, the corresponding “wicked twins” are disseminated through a malicious advertising campaign crafted to support ad deception, monitor online searches, insert browser extensions, and introduce APK files code onto users’ devices.
The primary peculiarity of this operation is that the wicked twin impersonates the distraction twin by spoofing the latter’s app ID and advertising publisher IDs for displaying ads. Both sets of distraction and wicked twin apps function on the same infrastructure, granting the malicious actors the ability to expand their operations exponentially as necessary.
Furthermore, many of the distraction apps not only function in a typical manner but a majority of them do not even display ads. They also include a GDPR consent notification.
“This ‘distraction/wicked twin’ mechanism for obfuscation offers a unique approach for malicious actors to depict false traffic as authentic,” expressed HUMAN researchers. “At its peak, activities related to Konfety reached 10 billion requests per day.”
In simple terms, Konfety leverages the SDK’s ad depiction capabilities to execute ad deception by making it considerably challenging to differentiate between malicious traffic and genuine traffic.
The evil twin applications affiliated with Konfety are purportedly spread through a malicious advertising campaign endorsing APK modifications and other software like Letasoft Sound Booster, with the malicious URLs hosted on domains controlled by the attackers, compromised WordPress websites, and other platforms permitting content uploads, such as Docker Hub, Facebook, Google Sites, and OpenSea.
Users who click on these URLs are directed to a domain that deceives them into downloading the malicious evil twin app, which in turn serves as a dropper for a first-stage that is decrypted from the assets of the APK file and is used to establish command-and-control (C2) communications.
The first stager also endeavors to conceal the app’s icon from the device’s home screen and initiates a second-stage DEX payload that executes deception by showing irrelevant, full-screen video ads when the user is either on their home screen or utilizing another application.
“The core of the Konfety operation lies within the evil twin apps,” highlighted the researchers. “These apps mirror their corresponding distraction twin apps by replicating their app ID/package names and publisher IDs from the distraction twin apps.”
“The network traffic derived from the evil twin applications is functionally similar to network traffic derived from the distraction twin applications; the ad impressions displayed by the evil twins utilize the package name of the distraction twins in the request.”
Additional functionalities of the malware encompass weaponizing the CaramelAds SDK to browse websites using the default web browser, enticing users by sending notifications compelling them to click on the fraudulent links, or injecting altered versions of other advertising SDKs.
Moreover, users installing the Evil Twins apps are encouraged to add a search toolbar widget to the device home screen, covertly monitoring their searches by transmitting the data to domains named vptrackme[.]com and youaresearching[.]com.
“Malicious actors comprehend that hosting malicious apps on stores is not a reliable strategy, and are devising imaginative and cunning techniques to evade detection and perpetrate lasting fraud,” concluded the researchers. “Actors establishing mediation SDK companies and disseminating the SDK to exploit high-quality publishers is an emerging tactic.”
About Author
