Konfety Hackers Hosted apps on Google’s Play Store to Push Malicious Ads


Researchers discovered a new ad fraud scheme named Konfety that leverages “decoy twin” apps on official marketplaces and their malicious “evil twin” counterparts. 

Decoy twins are seemingly harmless apps found on platforms like the Google Play Store, while evil twins, distributed via malvertising, commit ad fraud, install extensions, monitor web searches, and inject code. 

EHA

Evil twins mimic decoy twins by spoofing IDs to request and display ads, disguising fraudulent traffic as legitimate.

Over 250 decoy apps with corresponding evil twins were identified, generating up to 10 billion fraudulent ad requests daily.  

Diagram showing how Konfety apps are distributed and operate
Diagram showing how Konfety apps are distributed and operate

Konfety Evil Twin apps are spread through a malvertising campaign that promotes APK “mods” and other off-Play Store applications. 

The campaign redirects users to download low-quality applications or malicious APK files using DGA domains hosted on a single IP address.

The attackers also abuse UGC platforms and URL shortener services to spread malicious links. 

Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo

Malicious PDFs containing the URL shortener are found on legitimate websites.

The combination of malvertising, malicious PDFs, and other methods demonstrates the actors’ attempt to spread their malware as widely as possible.  

PDF file containing a URL which redirects the user to an APK download page
PDF file containing a URL which redirects the user to an APK download page

A fraud scheme utilizes three-staged evil twin apps.

The dropper APK with an impersonated package name is a simple app that loads the obfuscated stager from the assets, and then decrypts, loads, and runs the second stage that contains malicious codes. 

The first stage sets up C2 communication, hides the app icon, and configures persistence while decrypting the second stage payload, which makes it difficult for users to identify and remove the app. 

Empty icon and label seen in the app uninstall menu (left) and the code responsible (right)
Empty icon and label seen in the app uninstall menu (left) and the code responsible (right)

Second stage of the malware, a decrypted DEX payload, loads a specific class and performs fraudulent activities, which likely use backdoored ad SDKs and trigger a service disguised as an ad renderer based on user presence. 

Malware uses a unique ID (ZWMWD format) to identify itself on the CaramelAds platform, which is around 2 MB and utilizes custom obfuscation for each instance, making detection difficult despite consistent functionalities across different versions. 

Class that performs service initialization to render ads depending on user presence
Class that performs service initialization to render ads depending on user presence

Malicious actors exploited a mobile advertising SDK, CaramelAds, to commit ad fraud, and this was done by creating “evil twin” apps that mimicked legitimate “decoy twin” apps, which displayed intrusive full-screen video ads even when the user wasn’t actively using the app. 

To mask their activity, the evil twins made ad requests that appeared to originate from the decoy twins, while the attackers embedded unique identifiers within the downloaded app itself, allowing them to track the effectiveness of their malvertising campaigns. 

According to Human’s Satori Threat Intelligence Team, the CaramelAds server’s ability to open URLs and trigger notifications was also abused by the evil twins to redirect users to malicious websites or content potentially.  

Join our free webinar to learn about combating slow DDoS attacks, a major threat today.



Source link