More than 250 decoy apps on the Google Play Store have been leveraged by threat actors to obscure malicious activity by their "evil twin" versions with the same app IDs and infrastructure as part of the widespread Konfety ad fraud campaign that also involved the exploitation of Russian ad network CaramelAds' software development kit, The Hacker News reports.
Malvertising URLs for legitimate software and APK mods have been used to spread the evil twin apps, which serve as an initial stage dropper that establishes command-and-control communications and obscures the app icon before executing another DEX payload with full-screen video ads, a report from HUMAN's Satori Threat Intelligence Team showed. Such a payload also exploits the CaramelAds SDK to enable additional advertising SDK sideloading, as well as encourages victims to install a search toolbar widget on their home screens for tracking search activity. "Threat actors understand that hosting malicious apps on stores is not a stable technique, and are finding creative and clever ways to evade detection and commit sustainable long-term fraud. Actors setting up mediation SDK companies and spreading the SDK to abuse high-quality publishers is a growing technique," said researchers.
