Security researchers have uncovered a huge ad fraud scheme involving 224 apps on the Google Play Store, downloaded more than 38 million times. The apps generated fake ad views in the background, stealing money from advertisers.
HUMAN's Satori Threat Intelligence team unveiled the fraud campaign and reported the apps to Google, which then removed them from the Play Store.
The fraud operation, dubbed SlopAds, had a concealed functionality to generate views for ads.
“These apps deliver their fraud payload using steganography and create hidden WebViews to navigate to threat actor-owned cashout sites, generating fraudulent ad impressions and clicks,” the report reads.
The threat actors’ infrastructure – such as promotional domains and command-and-control servers – and many of the apps shared an AI theme, which contributed to the operation’s name.
The researchers discovered that at its peak, SlopAds accounted for 2.3 billion bid requests a day. This massive scale indicates that threat actors could cause significant losses to advertisers, who received nothing in return for fake views.
The scheme generated fake ad traffic from 228 countries and territories. Most of the traffic came from the United States (31%), followed by India (11%) and Brazil (7%).
“All users who have these identified apps installed on their device will receive a warning and will be prompted to uninstall them. Play Protect is on by default on Android devices with Google Play Services,” the report reads.
Not every instance of an app was generating clicks
The threat actors spent extensive effort crafting a sophisticated scheme and remaining undetected. The fraudulent apps only committed fraud under certain circumstances.
Only the apps downloaded after clicking the threat actor’s ad committed fraud, while the other instances remained dormant.
“This abuse of marketing attribution technology is a novel approach to ad fraud, and underscores the growing sophistication of threat actors’ tactics,” the researchers said.
The apps collect lots of device and browser information, allowing the threat actors to target specific devices.
They later retrieve hidden instructions encrypted using Google’s Firebase platform, including links to the ad fraud tool, links to sites for cashing out money, and other scripts to carry out fraud.
Even the module for managing the fraud is delivered using PNG images, which are later reassembled on the user’s device to form the required code.
The fraud takes place within hidden WebViews – these objects are like simplified web browsers to display web content in apps.
“One cashout mechanism for SlopAds is through HTML5 (H5) game and news websites owned by the threat actors,” the researchers explained.
“These game sites show ads frequently, and since the WebView in which the sites are loaded is hidden, the sites can monetize numerous ad impressions and clicks before the WebView closes.”
A similar cashout mechanism was previously found in the BADBOX 2.0 scheme.
The researchers believe that 224 detected apps may only be the beginning for this threat actor. They found over 300 related domains promoting other fraudulent apps.
Your email address will not be published. Required fields are markedmarked