Adware Sneaks onto Google Play Store and Apple App Store, Researchers Find

Security researchers have identified a new adware campaign that attackers designed to work on Android and iOS devices. The goal was to trick ad tech companies into believing their ads were displayed in the right places and to the right users.

One of the most common types of malware on modern devices is adware. This is software designed to serve annoying ads and, in some cases, to trick companies that offer those ads into thinking they are actually served in the right places.

Ad tech companies pay to serve those ads, but it’s through official channels or in the right places. The researchers from Human Security discovered that attackers figured out a way to upload apps serving adware in official stores. This is the third wave of such attacks detected in recent years.

“The Scylla operation featured 75+ Android apps and 10+ iOS apps committing several flavors of ad fraud. These apps generated 13+ million downloads in total before they were taken down,” security researchers explained.

The adware doesn’t just show annoying ads after users install them from official sources. It’s much more insidious. In the first method, called app and bundle ID spoofing, ad tech companies are tricked into thinking their ads are appearing in other well-known apps.

Another method the adware uses is showing out-of-context ads, such as when you’re not even using an app. In some situations, the adware would report that they’ve shown an ad even if the app didn’t do it.

Finally, the adware would also try to fake clicks on ads in an effort to defraud companies even further, by imitating a person’s actions and timing.

Bitdefender’s security researchers discovered a similar campaign a couple of months ago that followed the same pattern. This current campaign is different because attackers also managed to sneak some of these apps into the Apple Store.

Security researchers advised users who installed these apps to delete them at once and offered a complete list of indicators of compromise for all the applications.