White Ops has uncovered a mobile ad fraud operation with unusually sophisticated and patient tactics to embed itself in mobile phones, the company said Thursday.
The investigation, dubbed CHARTREUSEBLUR (most of the 29 perpetrating apps used “blur” in the name, and apparently the White Ops threat research team is fond of the liqueur chartreuse), rounded up 29 fraudulent Google Play Store apps. All of which have since been removed, but not before collecting 3.5 million total downloads.
The apps in the fraud network, most of which were photo tools, enabled fraudulent impressions without tripping alarms.
“The reason we really wanted to put this out there is the increased sophistication of threat actors,” said Dina Haines, White Ops' senior threat intelligence manager.
When consumers downloaded one of the photo apps, its codebase included a “stub app,” a placeholder developers use when they’re testing or planning additional code. The photo app would offer a basic function – like blurring photos or controlling the flash. But in the background, the stub app would load malicious code designed to serve ads and call up fake browser pages outside the user’s control.
Ads would display when phones were unlocked or while the phone was charging, for instance, Haines said.
Users couldn’t remove the app or even close it down in the background of their phone, she said, because it also removed its icon from the smartphone screen. So the only way to delete the app was to go into the phone settings, which most people wouldn’t think to do.
White Ops first detected one of these apps by noticing unusual download activity, indicating bot traffic, Haines said. They also had other common traits for malicious apps, including generic developer names that couldn’t be verified and a wave of initial five-star ratings (via bot sign-ups) followed by one-star reviews as actual people complained.
White Ops discovered the other 28 apps because the Chrome browser pages the apps all shared a common domain: ruanfan[.]co. An additional 99 apps share the same domain, and thus almost certainly have the same owner, Haines said.
White Ops isn’t pursuing attribution, which in the cyber security community means tying the fraud network back to the people who committed the crimes. But the shared domain is a potential lead, she said, especially considering the same bad actors and tactics will likely crop up again.
“Whether you call it cat-and-mouse or Whac-A-Mole, as we get better they improve,” she said.