Over 75 Applications on Google Play with 13M Installations Deliver Adware

Researchers from HUMAN’s Satori Threat Intelligence team found a new adware operation named ‘Scylla’, which is the third wave of an attack reported in August 2019 dubbed ‘Poseidon’. The second wave, indeed from the same threat actor, was called ‘Charybdis’ and cropped up in late 2020.

Reports say Apps related with Scylla operation have been downloaded 13+ million times. Experts identified 75+ Android apps and 10+ iOS apps engaged in advertising fraud.

The Working of Scylla

Satori team found that the Scylla apps use a bundle ID spoofing as primary fraud mechanism.

“Our PARETO investigation, for example, uncovered 29 Android apps that were pretending to be more than 6,000 CTV-based apps, which generally carry higher prices for advertisers than the average mobile game”, says HUMAN’s Satori Threat Intelligence team.

In the apps in the Scylla operation are instructed which bundle ID to use by a remote command-and-control (C2) server. Therefore, it tells the app which bundle ID to dynamically insert in the code.

C2 response with designated ID to be used by the app
Response from C2 server with spoofing instructions

Also, , the ads are loaded in hidden WebView windows, here so the victim never gets to notice anything suspicious, as it all happens in the background.

UI elements identifying the location of webviews for ads
UI elements identifying the location of webviews for ads

Researchers explain fake clicks have many advantages for the fraudster: for ad networks that bill on a views model, clicks demonstrate effectiveness, which makes advertisers want to stick around. But some other ad networks bill by the click, which incentivizes the fraudster to just fake the clicks to get paid.

Generating a fake click on the invisible advertisement

The adware also uses a “JobScheduler” system to trigger ad impression events when the victims aren’t actively using their devices. Researchers say Scylla apps rely on additional layers of code obfuscation using the Allatori Java obfuscator. This makes detection and reverse engineering more hard for researchers.

Therefore, Human is recommending users remove the fraudulent apps if present on their devices.

iOS App List:

  • Loot the Castle – com.loot.rcastle.fight.battle (id1602634568)
  • Run Bridge – com.run.bridge.race (id1584737005)
  • Shinning Gun – com.shinning.gun.ios (id1588037078)
  • Racing Legend 3D – com.racing.legend.like (id1589579456)
  • Rope Runner – com.rope.runner.family (id1614987707)
  • Wood Sculptor – com.wood.sculptor.cutter (id1603211466)
  • Fire-Wall – com.fire.wall.poptit (id1540542924)
  • Ninja Critical Hit – wger.ninjacriticalhit.ios (id1514055403)
  • Tony Runs – com.TonyRuns.game

Android App List (1+ million downloads)

  • Super Hero-Save the world! – com.asuper.man.playmilk
  • Spot 10 Differences – com.different.ten.spotgames
  • Find 5 Differences – com.find.five.subtle.differences.spot.new
  • Dinosaur Legend – com.huluwagames.dinosaur.legend.play
  • One Line Drawing – com.one.line.drawing.stroke.yuxi
  • Shoot Master – com.shooter.master.bullet.puzzle.huahong
  • Talent Trap – NEW – com.talent.trap.stop.all

The full list of applications part of the Scylla ad-fraud wave is available in HUMAN’s report.

Download Free SWG – Secure Web Filtering – E-book