Details have emerged regarding a “massive ad fraud operation” that uses hundreds of apps from the Google Play Store to carry out a variety of illegal actions.

You might be interested in: Managed Detection and Response (MDR): What is it?

The Konfety Campaign Explained

The campaign has been dubbed Konfety, the Russian word for Candy, due to its use of a mobile advertising software development kit (SDK) affiliated with CaramelAds, a Russian ad network.

The Decoy and Evil Twin Strategy

“Konfety represents a new form of fraud and obfuscation, in which threat actors operate ‘evil twin’ versions of ‘decoy twin’ apps available on major marketplaces,” HUMAN’s Satori Threat Intelligence Team wrote in a technical study provided with The Hacker News.

While the decoy apps, which number over 250, are harmless and distributed through the Google Play Store, their “evil twins” are spread through a malvertising campaign designed to facilitate ad fraud, monitor web searches, install browser extensions, and sideload APK files onto users’ devices.

How the Campaign Works

The most interesting part of the campaign is that the evil twin impersonates the decoy twin by spoofing the latter’s app ID and advertising publisher IDs when generating adverts. Both the decoy and evil twin sets of apps use the same infrastructure, allowing threat actors to extend their activities massively as needed.

Behavior of the Decoy Apps

That being stated, not only do the decoy apps behave correctly, but the bulk of them do not even display advertisements. They also include a GDPR consent notification.

Impact and Implications

“This ‘decoy/evil twin’ mechanism for obfuscation is a novel way for threat actors to represent fraudulent traffic as legitimate,” scientists at HUMAN stated. “At its peak, Konfety-related programmatic volume reached 10 billion requests per day.”

How Konfety Uses SDKs for Ad Fraud

To put it another way, Konfety uses the SDK’s ad rendering capabilities to perpetrate ad fraud by making it extremely difficult to discern between malicious and genuine traffic.

Distribution of Konfety Evil Twin Apps

The Konfety evil twin apps are said to be distributed through a malvertising campaign promoting APK mods and other software such as Letasoft Sound Booster. These campaigns use booby-trapped URLs hosted on attacker-controlled domains, compromised WordPress sites, and other platforms that allow content uploads, such as Docker Hub, Facebook, Google Sites, and OpenSea.

How Users are Tricked

Users who click on these URLs are routed to a domain that dupes them into installing the malicious evil twin app. This app serves as a dropper for a first-stage payload that decrypts the APK file’s assets and establishes command-and-control (C2) connections.

The Two-Stage Attack

The initial stager tries to remove the app’s icon from the device’s home screen and launches a second-stage DEX payload. This payload commits fraud by displaying out-of-context, full-screen video advertisements when the user is on their home screen or using another app.

“The crux of the Konfety operation lies in the evil twin apps,” the researchers stated. “These apps mimic their corresponding decoy twin apps by copying their app ID/package names and publisher IDs from the decoy twin apps.”

Network Traffic and Fraudulent Activity

“The network traffic derived from the evil twin applications is functionally identical to network traffic derived from the decoy twin applications; the ad impressions rendered by the evil twins use the package name of the decoy twins in the request.”

Additional Malware Capabilities

Other malware capabilities include exploiting the CaramelAds SDK to access websites using the default web browser, enticing users into clicking on fraudulent links via alerts, and sideloading modified versions of other advertising SDKs.

Monitoring and Data Collection

That is not all. Users who download the Evil Twins apps are encouraged to add a search toolbar widget to their device’s home screen, which secretly monitors their searches and sends the data to sites like vptrackme[.]com and youaresearching[.]com.

“Threat actors understand that hosting malicious apps on stores is not a stable technique, and are finding creative and clever ways to evade detection and commit sustainable long-term fraud,” the study’s authors claimed. “Actors setting up mediation SDK companies and spreading the SDK to abuse high-quality publishers is a growing technique.”