Apps

Brazen adware on Google Play and Apple Store Installed 13 Million Times

Brazen adware on Google Play and Apple Store Installed 13 Million Times

It’s an ongoing battle that Google and Apple have once again lost. A brazen adware campaign managed to evade Play Store and App Store protections. The apps carrying ad fraud codes were downloaded 13 million times.

To start with, both Apple and Google have to fight time and again with malware in their app stores, which often come along with apparently harmless applications. In the current case, security researchers from Human Security have Bleeding Computer unveiled a new large-scale campaign called “Scylla”, which affects both Android and iOS simultaneously. Mobile applications are used to commit various types of ad fraud. So they are not directly aiming to cheat their victims, but make their money by pretending to call ads.

According to the team, 75 apps in Google’s Play Store and more than 10 apps in Apple’s App Store were discovered using sophisticated code obfuscation methods to hide their untrustworthy background.

13 million downloads were registered across all apps, after cooperation with the researchers all applications from Google and Apple were removed from their stores. Below is the list of the most downloaded applications from the “Scylla” campaign:

iOS App List:

  • Loot the Castle – com.loot.rcastle.fight.battle (id1602634568)
  • Run Bridge – com.run.bridge.race (id1584737005)
  • Shinning Gun – com.shinning.gun.ios (id1588037078)
  • Racing Legend 3D – com.racing.legend.like (id1589579456)
  • Rope Runner – com.rope.runner.family (id1614987707)
  • Wood Sculptor – com.wood.sculptor.cutter (id1603211466)
  • Fire Wall – com.fire.wall.poptit (id1540542924)
  • Ninja Critical Hit – wger.ninjacriticalhit.ios (id1514055403)
  • Tony Runs – com.TonyRuns.game

Android App List (1+ million downloads):

  • Super Hero Save the world! – com.asuper.man.playmilk
  • Spot 10 Differences – com.different.ten.spotgames
  • Find 5 Differences – com.find.five.subtle.differences.spot.new
  • Dinosaur Legend – com.huluwagames.dinosaur.legend.play
  • One Line Drawing – com.one.line.drawing.stroke.yuxi
  • Shoot Master – com.shooter.master.bullet.puzzle.huahong
  • Talent Trap – com.talent.trap.stop.all

For the full list of known Android and iOS apps that are part of the ad fraud schemes, visit the Human Security report. However, the researchers emphasize that the wave does not seem to be over yet, so new apps can be added at any time.

Feigning something to the advertising industry

Adware campaigns are considered less dangerous for the users of the infected apps than classic malware. Here, the people behind it are mostly aimed at making money with fraudulent advertisements. So you try to attract as little attention as possible to infected devices, but the use of malicious code naturally represents a deep intrusion.

Typical signs of adware active in the background: unusually fast draining of the battery and increased data usage on the Internet. For example, the “Scylla” campaign on Android loads ads in hidden WebView windows, so the scam runs entirely in the background.

By using a “JobScheduler” system, the code can trigger advertisements regardless of the device status, i.e. even when the screen is deactivated. Last but not least, Scylla applications with fake IDs trick advertisers into thinking they are other applications that serve more profitable ads.
September 28, 2022