Researchers identified more than 100 apps that used a common code package named “Soraka” to perform ad fraud on users’ Android devices.
The White Ops Threat Intelligence team observed that many of the apps did not have a suspicious reputation at the time of discovery. For instance, the “Best Fortune Explorer” registered no red flags with anti-virus engines on VirusTotal when White Ops Threat Intelligence published its research. The app had already received 170,000 downloads by that time, and it was still available for download on Google’s Play Store.
Together, all of the 100+ malicious Android apps registered 4.6 million downloads.
In its analysis, the White Ops Threat Intelligence team found that the apps relied on a framework called AppsFlyer to watch for inorganic installations attributed to fraudsters’ promotional efforts. The apps displayed fraudulent ads only when where there was an inorganic installation. In those cases, the apps used their underlying Soraka code to determine what to run based upon several triggers.
According to the White Ops Threat Intelligence team, there’s a likely explanation for this use of AppsFlyer. As the researchers explain in a blog post:
The filtering is likely a mechanism to avoid detection from automated analysis and other services that would install the app ad-hoc and then, most likely, be considered as organic by AppsFlyer. This mechanism also allows fine-grain control of who (or what) receives the ad fraud, using the controls of ad serving platforms. The apps render out-of-context ads when the filter conditions are appropriate.
Specifically, the app waited for the device to be unlocked before displaying its first Out-of-Context (OOC) ad. After the user minimized the first ad by clicking the device’s home button, the app displayed another OOC ad. The third OOC ad followed after a few additional actions.