- Aggressive adware apps invade tens of thousands
of devices - Operators designed the apps to run unhindered in
the background - Google removed all of the fake apps from the
Play Store
Security researchers from White Ops have discovered and
tracked a vast ad fraud botnet that used dozens of Android apps pretending to
offer users free items to keep the application installed for at least two
weeks.
At the peak of its activity, the botnet, named TERRACOTTA,
had more than 65,000 infected devices, spoofed more than 5,000 apps and
generated about 2 billion fraudulent bid requests. Such aggressive adware is
usually after one thing — to generate as many fake clicks as possible and
create the impression of users actively clicking on ads.
The old saying, “If something seems too good to be true,
it probably is,” encapsulates the TERRACOTTA botnet offering. Apps offered
users shoes, coupons or concert tickets, and people didn’t have to pay a dime.
If someone were to give out free shoes on a street corner, everyone would be
immediately suspicious. Why not feel the same suspicion when the offer comes
from a random Android app?
“The TERRACOTTA malware offered Android users free goods
in exchange for downloading the app—including shoes, coupons, and concert
tickets—which users never received,” said the researchers.
“Once the app was installed and the malware activated, the malware used the
device to generate non-human advertising impressions purporting to be ads shown
in legitimate Android apps.”
The cybercriminals wrote the apps using the React Native
cross-platform development framework, which didn’t raise any flags. On the
other hand, the apps did require access to powerful permissions, WAKE_LOCK and
FOREGROUND_SERVICE that would let the apps run uninterrupted and invisible in
the background.
Google was quick to remove all of the TERRACOTTA apps,
and its operators used the React Native framework for all of them.
Interestingly, the simple removal of the software from the official store
doesn’t mean it’s gone from the devices. Many of them remain active, although
they can no longer generate funds for their operators.