A new ad fraud campaign named Konfety has been uncovered by HUMAN Security [7] [8], Inc. [4] [7] [8], revealing over 250 Google Play decoy apps concealing malicious code associated with the Russian ad network CaramelAds [1].
Description
This operation [3] [4] [5] [7] [8], discovered by HUMAN’s Satori Threat Intelligence Team, employs an “evil twin” evasion technique to engage in malicious activities like generating fake clicks on ads, redirecting users to harmful sites [1], and sideloading additional APKs [4] [8]. The threat actors behind Konfety create decoy apps on the Google Play Store [6], with one app serving as a harmless decoy while the other conducts fraudulent activities. By spoofing app IDs and advertising publisher IDs [2] [5], the malicious apps pose as legitimate ones, making it difficult to distinguish between real and fake traffic [3] [5]. The malware is distributed through a malvertising campaign that promotes APK mods and other software [5], with URLs hosted on attacker-controlled domains and compromised websites [5]. Users who click on these URLs unknowingly download the malicious app [5], which then establishes communication with command-and-control servers and displays irrelevant ads to generate revenue for the threat actors. The malware also includes features such as monitoring user searches and installing modified advertising SDKs [5]. HUMAN researchers have identified the threat actor group behind Konfety and provided detection and signaturing insight to track additional apps using the same techniques [7]. Customers partnering with HUMAN for ad fraud defense are protected from the impacts of Konfety [7], which aims to evade detection and commit long-term fraud in the digital advertising supply chain [7]. This operation highlights the evolving tactics of ad fraudsters to avoid detection and perpetrate long-term fraud [8], emphasizing the importance of heightened vigilance and security measures in the mobile advertising industry. AdOps teams are advised to use IVT monitoring tools [6], avoid using CaramelAds until vulnerabilities are fixed [6], and monitor their traffic for signs of fraudulent activity [6]. Collaboration among stakeholders in the digital advertising ecosystem is crucial to mitigate the threat posed by Konfety and safeguard the integrity of digital advertising platforms [1]. The operation has reached a peak of 10 billion requests per day [3], demonstrating its significant impact [3].
Conclusion
The Konfety ad fraud campaign poses a serious threat to the digital advertising industry, highlighting the need for increased vigilance and security measures [3] [5]. By collaborating with stakeholders and implementing detection and mitigation strategies, the impacts of Konfety can be minimized, safeguarding the integrity of digital advertising platforms in the future.
References
[1] https://www.krofeksecurity.com/uncovering-the-konfety-ad-fraud-scheme-250-google-play-decoy-apps-concealing-malicious-twins/
[2] https://rhyno.io/blogs/cybersecurity-news/the-konfety-ad-fraud-operation/
[3] https://www.redpacketsecurity.com/konfety-ad-fraud-uses-250-google-play-decoy-apps-to-hide-malicious-twins/
[4] https://www.tradingview.com/news/reuters.com,2024-07-16:newsml_GNX116zVc:0-human-discovers-konfety-ad-fraud-operation-wielding-novel-evil-twin-evasion-method/
[5] https://thehackernews.com/2024/07/konfety-ad-fraud-uses-250-google-play.html
[6] https://www.admonsters.com/humans-satori-team-uncovers-konfety-fraud-operation-with-new-malvertising-tactics/
[7] https://finance.yahoo.com/news/human-discovers-konfety-ad-fraud-130000773.html
[8] https://www.globenewswire.com/en/news-release/2024/07/16/2913829/0/en/HUMAN-Discovers-Konfety-Ad-Fraud-Operation-Wielding-Novel-Evil-Twin-Evasion-Method.html