Despite Google’s best efforts, its Play Store problem persists. A new report has just exposed a vast network of more than 250 “evil twin” applications on the official Android store, acting as decoys for malicious non Play Store duplicates.
HUMAN Security has dubbed this threat Konfety, and explains that “one evil twin version is distributed via malvertising and malicious downloads and performs ad fraud,” while shielded by its harmless Play Store duplicate. “At its peak,” HUMAN says, “Konfety-related programmatic bids reached 10 billion requests per day.”
Konfety abuses the CaramelAds mobile advertising SDK, with the evil twins much more widespread than their Play Store versions. But it’s those harmless decoys that provide the fraudulent revenue stream, “by spoofing the [Play Store decoy’s] app ID and advertising publisher IDs for the purposes of requesting and rendering ads.”
While ad fraud is painful and can have a detrimental affect on an infected device—think bandwidth and battery usage, this same campaign has also been caught directing users to websites with malware-laced apps, which is a different level threat.
I have approached Google for comment on this new report, but HUMAN assures that Google Protect can now identify these evil twin apps. If you’re the kind of person with a habit of installing trivial apps from random developers, then you can check the list of know evil twins here. Clearly delete any you find.
According to HUMAN’s Satori Threat Intelligence Team, which conducted the research, “although the decoy apps on the Play Store purport to be owned by different developers, they are template-based apps, many of which are owned by the Konfety threat actor group.” It was the relatively low install numbers combined with high ad traffic of the decoy apps that alerted HUMAN to the ongoing fraud.
This novel campaign provides an interesting twist on past ad fraud techniques, but yet again illustrates why it’s now so important to take care as to what’s installed from Play Store and especially from anywhere else. My advice remains to avoid downloading any apps through links or even third-party stores.
But at the same time a scan of the list of Play Store apps shows yet again that even the most trivial apps drive installs. This threat campaign required two things to operate successfully: users to install malicious apps outside Play Store, and users to install trivial apps from within Play Store. Both risky and yet both achieved with ease.
This report follows the news earlier this month that yet another Anatsa-laced app had been found and removed from Play Store. As such, the golden rules to staying safer on Android remain as critical for users as ever:
- Stick to official app stores—don’t use third-party stores and never change your device’s security settings to enable an app to load
- Check the developer in the app’s description—is it someone you’d like inside your life? And check the reviews, do they look legitimate or farmed? Avoid the indiscriminate installation of trivial apps you do not need.
- Do not grant permissions to an app that it should not need: torches and star-gazing apps don’t need access to your contacts and phone. And never grant accessibility permissions that facilitate device control unless you have a need.
- Never ever click links in emails or messages that directly download apps or updates—always use app stores for installs and updates.
- Ensure Google Play Protect is enabled on your device.
