Malvertising – Getting More Than You Pay For

Updated July 1, 2016 – We shared our findings, and these ad fraud IoCs, with the Facebook ThreatExchange security group.

Fig. 1 - Sample data submission
Fig. 1a – Sample data submission

Many thanks Facebook for their ThreatExchange platform so that we can continue to share details of threat actors and other artifacts with the global security community.

In one mobile security research forum that we participate in, one emerging Android app was reported to have slipped into the Google Play app store. The app is a trojan in that it pretends to be a useful app but instead displays advertising. As of June 8th when we initiated this blog post, the malware was still active in Google Play.

Free Waze Tips app

Fig. 1b – Free Waze Maps by “Jodan mumbai studio”

 

The app passed a malware scan by 56 scanners via VirusTotal.com.

NewSky Security image - VirusTotal.com scan

Fig. 2 – VirusTotal.com scan results

 

Avast discussed the nuances of how app developers push fake apps onto the Google Play store in a blog post. The developer gains traction in the store by customizing the app to appear related to other popular apps, as in this example, the widely popular navigation app Waze.

This type of fake app, also known as “Clicker Trojan”, is not new. Not long ago, we worked with McAfee Labs to report of a campaign of Android/Clicker.G in dozens of published apps on Google Play, and they were subsequently removed. The mere presence of this fake app begs the following questions:

  • Why are fake app developers persistent and continue pressing their wares?
  • What’s the business model for the clicker, and mobile ad fraud in general?
  • What is the role of mobile threat intelligence infosec?

Stubborn Threat Actors

Using rich metadata details and analysis logs from our own NewSky AppRisk Scanner, we observe the following certificate details of the fake app:

NewSky Security blog image

Fig 3. – Clicker Trojan cert

 

It is interesting to note that this cert was used previously to sign other malware apps since January 2016!

NewSky Security blog image - other fake apps signed by same cert

Fig 4. – NewSky Security Meta-DB and other Clicker Trojan malware signed by the same cert

 

When we initiated this blog post, there were five Clicker Trojan apps still available from the same developer in the Google Play store. (Update: Google removed “Free Waze Traffic GPS Tips” Clicker Trojan.)

Clicker Trojan apps available on Google Play

Fig. 5 – Five apps available on Google Play from the same malvertising dev

 

Clicker Trojan Profit Model

These “junkware” apps are ad fraud. When the developer publishes the app, they also write a plethora of fake reviews to boost visibility and gain credibility for their app. The app contains an embedded ad SDK such as “Ad Mob Android SDK”. The app developer gains in two ways – to fool app consumers into installing it and to profit by taking money via advertising partnerships.

To reiterate, these apps lack functionality and serve no purpose other than to display advertising. Take the Clicker Trojan app “FreeTheRockClockTips” for example. When started, the app only displays a “Play now!” button and a banner of ads. After clicking the “Play now!” button, it displays additional ads.

Clicker Trojan "The Rock Clock Tips" app

Fig. 6 – Clicker Trojan “The Rock Clock Tips” app

 

Another boost used by the fake app developer is to craft a barrage of fake reviews to bolster the popularity and entice consumers to install it. Other tricked users may also post a review to alert other potential users that the app isn’t what it claimed to be.

Clicker Trojan fake and factual reviews

Fig. 7 – Clicker Trojan fake and factual reviews

 

Further investigating the “Free Waze Traffic GPS Tips” Clicker Trojan revealed light communications with the site “analytics.seattleclouds.com“. This provides a clue as to the source and origin of the app – an app building site “seattleclouds.com“. The site provides the framework for a developer to register with Apple and Google, create an app, and partner the app with Google’s AdMob.

This framework in itself isn’t malicious however the app developer appears to have crossed at least one boundary by violating the Seattleclouds.com TOS as outlined in article 28 of the site’s FAQ:

28. Approval Process

Application approval is subjective to our review and Apple’s review process. We will not approve and submit apps that are incomplete, have broken links, broken functionality, have inappropriate content, are part of a scam or infringe on copyright laws. We will also not approve applications qualified as purely marketing ad with limited, or no functionality. SeattleClouds and Apple reserves the right to reject an application based on a subjective evaluation of the reviewer.

 

Call to Action

Recall that prior to the creation of a malware classification of “Fake AV”, there was an infosec debate to classify them as either PUA (possibly unwanted apps) or malware. The result of that discussion was the creation of a new threat category “Fake AV” that became widely adopted among security companies.

It could be debated that these junkware apps are not inherently malicious in that no physical damage may occur and private information may not be compromised. We contend that these apps are malicious as in its purest sense, it amounts to fraud and merits its own category as Ad Fraud Trojan.