Clever advertising scam with Android apps busted after all

Google has removed 224 fraudulent Android apps from its Play Store. They were installed a total of 38 million times by Android users in 228 countries and triggered 2.3 billion fraudulent ads every day that no one ever saw. Classic advertising fraud, but particularly well hidden. Nevertheless, it was uncovered by security researchers from Human. They call the case “SlopAds,” alluding to “AI Slop,” which refers to low-quality AI-generated media content.

The fraudulent applications were mostly AI-related and, as they were submitted to the Play Store and offered for download, did not contain a malware function in the strict sense. Only after installation was completed was an encrypted configuration downloaded using Firebase Remote Config. This contained hyperlinks: a list of over 300 fraudulent websites that were used to deliver the foreign advertisements; a link to download a JavaScript that controlled the secret retrieval of the advertisements via Webview; and a link to four PNG image files.

Further code was hidden steganographically in these images. The apps used this to build the actual malware routine, which Human calls “FatModule.” This software first checked how the user had obtained the app. If it was found and installed via a search in the Play Store, it only worked as advertised, and the malware was never activated.

Anyone who fell for advertising was abused for advertising downloads

However, the fraudsters had also placed advertisements themselves, namely for their apps. If a user clicked on such advertising, landed in Google's Play Store, and installed the app, its fraud mode was activated. This was intended to exclude security researchers who would rather use the Play Store directly than click on any advertisements.

In addition, the apps searched for indications of possible execution by security researchers, such as a rooted operating system, an emulator, or debugging tools. Only if nothing of the sort was found did the secret downloads of advertising begin in a hidden webview process. Even then, the requests were sent via several redirects to avoid providing the ad server with suspicious referrers.

Human has informed Google, which has deleted the 224 known apps from the Play Store. Google Play will ask those users who have already installed such apps to delete them from their devices.

New attempt expected

It is not known how long the perpetrators have been at work. After all, they had managed 38 million downloads. And more apps were added while the Humans investigation was still ongoing.

The researchers do not expect the perpetrators to devote themselves to earning a decent living from now on; it is more likely that they will soon try again with an even more sophisticated advertising scam. The victims are, on the one hand, advertisers who pay for advertising that no one ever appreciates and, on the other, app users whose bandwidth, processing power, and battery charge are wasted on systematic fraud.

(ds)