“If it sounds too good to be true, it probably is.” Unfortunately, over 65,000 users neglected to observe this time-honored adage and proceeded to download a “free” app that came with the promise of among other things, a free pair of tennis shoes. Before it was all over, the online criminals had spoofed over 5,000 Android apps that in turn, downloaded an ad fraud botnet onto on over 65,000 devices. The botnet was also responsible for more than 2 billion bid requests. Yes, that’s billion, not million.
When Did It All Start?
The attack, now codenamed TERRACOTTA, began in late 2019 when a family of apps listed on the Google Play Store, offered users an opportunity to download an app in exchange for a free pair of tennis shoes, or in some cases, items such as event tickets, coupons, or even expensive dental treatments. For those who opted for the tennis shoes as their free gift, all they had to do was fill in their name along with their address details, select the shoes they wanted and in 14 days time, the shoes would be mailed to their front door. Incredibly, there were no strings attached.
Since initially many users gave the apps a glowing 5-star review, others were likely encouraged by such positive feedback and eager to download an app and then part with their personal information. As time passed and not a single user claimed they received free tennis shoes, the 5-star reviews understandably turned negative.
How Did They Do It?
The ad fraud botnet used in all the apps silently loaded ads in the background, and this is what made this family of apps completely different from other apps that have used somewhat similar tactics in that they bombarded users with unwanted, but obvious ads.
The entire family of apps used in the exploit were not reported to the Google Play Store as being supported by ads. Since no users ever reported seeing any unwanted ads, the apps were able to do their work under the radar. Further analysis showed no monetization mechanism and the analysis confirmed that no ads were ever shown to users. Using these clever ploys, the apps were able to deceive users on Google Play Store until the final week in June 2020.
In addition to defrauding the average user, the apps also contained malware that deceived advertisers. Beyond the 14-day window of shoe delivery that of course never occurred, the apps acted as a delivery platform for other functionality that initially remained dormant.
Eventually it was discovered the other functionality consisted of a customized Android browser that was packaged beside a control module written in the popular React Native framework. After being loaded on the phone, the customized Android browser was used to create deceitful ad impressions. These were then purchased by advertisers who bought them in the digital advertising ecosystem.
Those committing the fraud made use of several techniques that allowed their malware to remain undetected for quite some time. With their clever 14-day “waiting period”, it allowed them to leave an app that had no real functionality for an extended period of time on countless phones. By waiting a lengthy period rather than immediately exhibiting bad behavior, it made it much more difficult for users to connect downloading the malware-loaded app with unwanted behavior that occurred much later. The lengthy waiting period also negatively affected cybersecurity analysis since the apps required observation for an extended period of time in order to finally detect the exploitive behavior. Those in the anti-virus community simply were not prepared for malware that remained dormant for such a long period of time.
A Cautionary Tale
The clever exploitation described above should be a cautionary tale for companies who may not be well-versed in how to effectively train their employees to spot such deceitful malware. If you would like more information on how to protect your company’s portable devices and other hardware and software from exploitation, please contact us.