Konfety Hackers Hosted 250 apps on Google’s Play Store to Push Malicious Ads

Researchers found a original ad fraud plan named Konfety that leverages “decoy twin” apps on respectable marketplaces and their malicious “unsuitable twin” counterparts.

Decoy twins are reputedly anguish free apps found on platforms take care of the Google Play Retailer, while unsuitable twins, distributed by job of malvertising, commit ad fraud, set up extensions, display screen net searches, and inject code.

Cross twins mimic decoy twins by spoofing IDs to position a question to and expose adverts, disguising false traffic as legit.

Over 250 decoy apps with corresponding unsuitable twins had been identified, generating as a lot as 10 billion false ad requests day-to-day.

Konfety Cross Twin apps are unfold thru a malvertising campaign that promotes APK “mods” and somewhat a number of off-Play Retailer applications.

The campaign redirects customers to download low-quality applications or malicious APK files the exercise of DGA domains hosted on a single IP address.

The attackers furthermore abuse UGC platforms and URL shortener services and products to unfold malicious links.

Malicious PDFs containing the URL shortener are found on legit websites.

The mixture of malvertising, malicious PDFs, and somewhat a number of suggestions demonstrates the actors’ are attempting to unfold their malware as extensively as that you would also take into consideration.

A fraud plan utilizes three-staged unsuitable twin apps.

The dropper APK with an impersonated bundle title is a easy app that loads the obfuscated stager from the resources, and then decrypts, loads, and runs the second stage that comprises malicious codes.

Basically the indispensable stage items up C2 verbal change, hides the app icon, and configures persistence while decrypting the second stage payload, which makes it worthy for customers to name and seize away the app.

2d stage of the malware, a decrypted DEX payload, loads a remark class and performs false actions, which likely exercise backdoored ad SDKs and trigger a carrier disguised as an ad renderer according to user presence.

Malware uses a queer ID (ZWMWD layout) to name itself on the CaramelAds platform, which is round 2 MB and utilizes custom-made obfuscation for every instance, making detection worthy despite consistent functionalities across somewhat a number of variations.

Malicious actors exploited a cell marketing SDK, CaramelAds, to commit ad fraud, and this turned into done by creating “unsuitable twin” apps that mimicked legit “decoy twin” apps, which displayed intrusive corpulent-conceal video adverts even when the user wasn’t actively the exercise of the app.

To cloak their task, the unsuitable twins made ad requests that perceived to impression from the decoy twins, while the attackers embedded queer identifiers within the downloaded app itself, permitting them to trace the effectiveness of their malvertising campaigns.

According to Human’s Satori Threat Intelligence Team, the CaramelAds server’s skill to launch URLs and trigger notifications turned into furthermore abused by the unsuitable twins to redirect customers to malicious websites or whine potentially.