Researchers at WhiteOps warn that a family of malicious Android apps are spreading a new ad-fraud botnet by promising free shoes and other products to users who install the apps. The operation, which WhiteOps has dubbed “TerraCotta,” involved more than 5,000 spoofed apps and had infected 65,000 devices by the end of June 2020. The researchers explain that this phishing campaign was more subtle than most ad-fraud schemes.
“Many ‘scam’ apps like these across the internet lure users in to installing them under false pretenses, provide no meaningful functionality, and proceed to bombard their users with unwanted and intrusive ads,” the researchers write. “But this family of apps was different: the apps don’t report via Google Play that they are ad-supported, and no users were complaining of seeing unwanted ads. Further analysis of the app revealed no ads being shown and no obvious monetization mechanism.”
The purpose of the apps was to silently install a custom Android browser that generated phony ad impressions in the background to defraud advertisers. The researchers add that the fourteen-day waiting period was one of the reasons the apps remained undetected for so long.
“But this tactic offers other ‘benefits’: the 14 day waiting period for the shoes means users are happy to leave an app installed on their phone that has no real functionality,” they explain. “This means not only is it cheap to build the app’s ‘cover’ function, but the malware can afford to ‘lay low’ for a period before activating, making it much harder for users to attribute the bad behavior once it starts. As an added bonus for the bad actor, the activation delay trips up cybersecurity analysis too: unless the app is kept under observation for an extended period of time—which is costly—no bad behavior is observed and the malware stays undetected by the anti-virus community.”
Google has been working hard to fight this operation and many of the malicious apps have now been removed from the Play Store. The researchers conclude that awareness is the best way for users to combat these scams.
“Talk to the people in your life that may need a reminder to tread carefully online and give them advice on how to spot a potentially fraudulent app,” they write. “Educating all consumers is how we can fight bad actors, like the TERRACOTTA operators, from making their schemes lucrative. Fraudsters will continue to find new ways to gain access to devices and use data for harm, so users must stay smart. For now, we suggest a safer option: check out a shoe store instead.”
No app or website will offer you valuable, real-world items for free without getting something in return. New-school security awareness training can teach your employees to recognize and avoid falling for offers that are too good to be true.
WhiteOps has the story.