A massive Android advertising fraud operation nicknamed “Spalads” was disrupted after 224 malicious applications on Google Play were used to generate 2.3 billion announcements of announcements per day.
The advertising fraud campaign was discovered by The intelligence team on the satori threats of manWho indicated that the applications had been downloaded more than 38 million times and used the obscure and the steanography to hide Google’s malicious behavior and safety tools.
The campaign was worldwide, users installing the applications of 228 countries, and slogans count 2.3 billion requests for tenders every day. The highest concentration of prints in the MA comes from the United States (30%), followed by India (10%) and Brazil (7%).
“Researchers have nicknamed this” Slocketing “operation because the applications associated with the threat have the place of mass products,”Soil ai‘, And in reference to a collection of applications and services on the theme of the AI-AI-Hosted on the C2 server of the actors of the threat, “said Human.
Source: Human Sator
Spand’s advertising fraud campaign
Advertising fraud contained several levels of escape tactics to avoid being detected by the process of examining Google applications and security software.
If a user installed a Spalad application organically via the Play Store, without coming from one of the announcements in the campaign, it would act as a normal application, performing the announced functionality as usual.
Source: Human Sator
However, if it has been determined that the application was installed by the user clicking on arriving via one of the threat actor’s advertising campaigns, the software used the Firebase remote configuration to download a encrypted configuration file which contained URL for the malware module of advertising fraud, cashout servers and a JavaScript useful load.
The application would then determine if it was installed on the device of a legitimate user, rather than being analyzed by a researcher or security software.
If the application passes these checks, he downloads four PNG images that use steganography to hide pieces of a malicious APK, which is used to supply the advertising fraud campaign.
Source: Human Sator
Once downloaded, the images have been deciphered and suffered on the device to form complete “fatmodule” malware, which was used to perform advertising fraud.
Once Fatmodule has been activated, it would use Hidden websites to collect information on the device and the browser, then access the fields of advertising fraud (Cashout) controlled by the attackers.
These areas have plunged from games and new sites, broadcasting advertisements permanently via hidden slid screens to generate more than 2 billion prints of fraudulent ads and clicks per day, thus creating income for attackers.
Human says that the campaign infrastructure included many command and control servers and more than 300 related promotional areas, suggesting that threat actors planned to extend after the 224 initial identified applications.
Google has since deleted all known SPPAD apps from the Play Store, and Google Play Protect from Android has been updated to warn users to uninstall those found on the devices.
However, the man warns that the sophistication of the advertising fraud campaign indicates that threat actors will likely adapt their program to try again during future attacks.
