Massive Android Ad Fraud ‘IconAds’ Uses Google Play to Target and Exploit Users

HUMAN’s Satori Threat Intelligence and Research Team has dismantled a sprawling ad fraud operation named IconAds, which infiltrated the Google Play Store with 352 malicious apps.

At its peak, this scheme generated a staggering 1.2 billion bid requests daily, flooding users’ screens with out-of-context ads while employing cunning tactics to hide app icons and obscure their origins.

This makes it nearly impossible for unsuspecting users to pinpoint and uninstall the offending apps.

Uncovering a Sophisticated Global Threat

The operation, an evolution of a threat monitored since 2023, showcased global reach, with significant traffic originating from Brazil, Mexico, and the United States.

Google has since removed all identified apps from its platform, and users are protected by Google Play Protect, which automatically blocks malicious behavior on Android devices with Google Play Services.

Delving into the technical intricacies, Satori researchers uncovered IconAds’ sophisticated methods to evade detection and persist on devices.

The apps employ layered obfuscation tactics, such as using random English words to mask critical data like device model and OS version during network communications, and encrypting strings via byte arrays decrypted by an O-MVLL obfuscated native library.

Technical Deceptions

Unique command-and-control (C2) domains for each app, often following a consistent yet generic syntax, further cloak the infrastructure, while shared backend resolution to specific CNAMEs hints at centralized control.

A particularly deceptive tactic involves a malicious activity-alias that overrides the default app icon and label with transparent or misleading visuals sometimes mimicking legitimate apps like Google Play Store ensuring the app blends into the device’s interface unnoticed.

Once active, these apps load intrusive interstitial ads irrespective of the foreground application, exploiting user interaction for fraudulent revenue.

The evolution of IconAds is equally concerning, with newer variants identified in October 2023 introducing advanced obfuscation using tools like StringFog, multibyte XOR encoding, and dynamic loading of encrypted DEX files from assets.

Some apps even embed fraud logic in malicious ELF libraries, while others disguise themselves with Google-related icons and names to deceive users further.

A notable adaptation includes a license check using the PairIP library to verify if the app was installed from the Play Store, halting malicious activity if sideloaded to avoid detection during analysis.

Additionally, IconAds apps leverage third-party DeepLinking services to trigger malicious flows selectively, showcasing a calculated approach to dynamic testing evasion.

Despite their short shelf lives on the Play Store, these apps represent a persistent threat, with Satori researchers anticipating further adaptations and new obfuscation techniques.

According to the Report, HUMAN’s Ad Fraud Defense platform has successfully shielded its customers from IconAds’ impact, and the team continues to monitor the threat landscape for emerging variants.

For ecosystem stakeholders, recommendations include stringent inventory vetting by Demand Side Platforms (DSPs) to avoid suspicious apps and real-time monitoring of C2 infrastructure using updated threat intelligence.

Supply Side Platforms (SSPs) are urged to enhance anomaly detection for unusual traffic patterns and enforce transparency in app metadata.

As IconAds exemplifies the growing sophistication of mobile ad fraud, proactive collaboration across the industry remains crucial to safeguard digital advertising integrity and user trust.

Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free