The malware campaign promised users a free pair of shoes within 14 days of ordering them from within the app.
Mostly when we come across scams on the Play Store, they are in the form of apps offering some sort of legitimate usage while doing malicious activities in the background. However, there are a few times when vulnerabilities put billions of Android devices at risk or when some genius thinks of doing the bare minimum and getting away with it.
In the latest, researchers from White Ops have reported on such a malware campaign in which fraudsters uploaded apps on the Play Store which promised users a free pair of shoes within 14 days of ordering them from within the app.
Users could choose a pair of their choice with a promise that it would be shipped in 14 days. This naturally made users amused which was seen in the form of good reviews piling up.
However, reality kicked in and the shoes never came because that wasn’t the purpose of the apps anyways. In actuality, what the apps were doing is delivering ad-malware dubbed as TERRACOTTA. Explaining, the researchers state in their blog post that,
The real payload—a customized Android browser packaged alongside a control module written in the React Native development framework—is loaded onto the phone and used to generate fraudulent ad impressions, sold into the programmatic advertising ecosystem, and defrauding advertisers at scale.
This resulted in over 65,000 ad impressions with 5,550 spoofed apps and the total number of advertising bids at 2.4 billion as of July 2020.
It is important to recognize that in order to make sure that advertisers showed continued interest in their ad network, the fraudsters concealed the true source of the ad traffic. They told them that the traffic came from popular & well-downloaded apps giving the impression that it was worth their spent dollars.
To conclude, coordinating with Google, the apps were removed resulting in the malware’s traffic decreasing by a large extent as shown below:
For those who were impacted by this scam, the researchers have a range of recommended actions for them. Firstly, app publishers are recommended to use an app-ads.txt file which will help their apps from being spoofed or impersonated as it was done in this case.
Secondly, advertisers should only work with apps that are “app-ads.txt verified”. Finally, for the end-users, just avoid downloading apps that promise something that is too good to be true along with checking the timeline of its reviews – how long has the app been around in essence.