Konfety Hackers Infiltrate 250 Google Play Store Apps with Malicious Ads

Konfety leverages a non-malicious advertising SDK, CaramelAds, for its large-scale ad fraud scheme. The operation hinges on “evil twin” apps, distributed outside official stores, that exploit a modified version of CaramelAds to request ads, install malware, and communicate with control servers. 

These evil twins masquerade as legitimate apps (decoy twins) found on the Play Store, sharing infrastructure with them. The threat actors manage both sets of apps through the same CaramelAds servers, allowing for easy scaling of the fraudulent activity. 

The identical group is probably in control of the seemingly disparate decoy apps, further obscuring their malicious intent, while Konfety appears to be profiting by reselling ad inventory from apps they don’t directly own. 

Diagram showing how Konfety apps are distributed and operated

CaramelAds is a Russia-based ad network with a suspicious SSP server flagged in a BADBOX/PEACHPIT investigation. The CaramelAds SDK code provides mediation for several ad networks and offers basic functionalities to render ads. 

The SDK can be abused by developers due to a lack of validation and security checks. For instance, the server can control the UserAgent string and navigate devices to malicious URLs. 

CaramelAds SDK ApiService class

Researchers identified over 250 seemingly harmless template-based games on the Play Store that contained the CaramelAds SDK but displayed minimal ads, which contacted ad servers associated with malware, but researchers suspect the real malicious activity originated from “evil twin” apps that mimicked the decoys. 

The large discrepancy between the expected ad volume for the decoy apps’ download numbers and the observed ad traffic suggests the evil twins were generating fraudulent ad clicks.  

Examples of requests to CaramelAds SSP server and their respective empty replies

Konfety spreads malicious “evil twin” apps disguised as legitimate ones, which mimic decoy apps found on app stores by spoofing their ID and publisher info. Malvertising campaigns using DGA domains and URL shorteners play a key role. 

Malicious PDFs hosted on various platforms (compromised WordPress, Docker Hub, etc.) redirect users to download the evil twin apps disguised as APKs on CaramelAds’ infrastructure, which increases the reach of the Konfety campaign. 

List of URLs containing malicious PDFs with urluss[.]com redirect payload

Satori researchers analyzed malicious twin applications that impersonate legitimate apps. The dropper APKs are small and obfuscated using dynamic code loading. The first stage stager is decrypted from the assets, defines the implementation of services, sets up C2 communications, and hides the app icon. 

The second-stage payload is encrypted and contains backdoored ad SDKs. The malware communicates with a C2 server attributed to CaramelAds to obtain configuration parameters and additional server locations, and the ID format used by the CaramelAds SDK is used to uniquely identify the application.

Class that performs service initialization to render ads depending on user presence

Malicious actors exploited the CaramelAds SDK to create “evil twin” apps that mimicked legitimate “decoy twin” apps on the app store, which displayed intrusive full-screen video ads even when the user wasn’t actively using the app. 

To mask their activity, the evil twins used the package name of the decoy twins, making it seem like the ad originated from the legitimate app by leveraging the SDK’s features to track download success rates and open arbitrary URLs in the user’s browser, potentially leading them to malicious websites. 

Also Read:

Kaaviya
Kaaviyahttps://cyberpress.org/
Kaaviya is a Security Editor and fellow reporter with Cyber Press. She is covering various cyber security incidents happening in the Cyber Space.

Recent Articles

Related Stories

LEAVE A REPLY

Please enter your comment!
Please enter your name here