HUMAN’s Satori Threat Intelligence Team uncovered a massive mobile malvertising scheme named Konfety, exploiting sophisticated tactics through decoy apps and their “evil twins” to generate up to 10 billion fraudulent programmatic bids per day.
HUMAN’s Satori Threat Intelligence Team began noticing that apps that don’t offer advertising were generating an abundance of IVT traffic. Concerned, they began studying the traffic source and, in the process, discovered a massive mobile malvertising scheme that used highly sophisticated tactics.
They named the scheme Konfety, which means “candy” in Russian, in a nod to CaramelAds, the Russian mobile advertising SDK that the threat actors managed to abuse. Konfety is a massive fraud perpetrated against DSPs and advertising networks, and at its peak, Konfety-related programmatic bids reached 10 billion requests per day.
To learn more about the threat, AdMonsters talked with Lindsay Kaye, VP of Threat Intelligence at HUMAN, who was instrumental in uncovering Konfety. For a complete discussion, see the HUMAN Satori Threat Alert: Konfety Spreads “Evil Twin” Apps for Multiple Fraud Schemes.
Susie Stulz: Konfety uses several new mechanisms in malvertising. This scheme uses decoy apps and evil twins. Can you provide an overview of the scheme and how it worked? 
Lindsay Kaye: Sure. The threat actors created about 250 decoy Android application package files — or APK apps — which they uploaded to the Google Play Store. These apps don’t provide any sort of fraud when we download and execute them.
And yet, in the real world, we saw a lot of IVT coming from those apps, so we started investigating. We found that APK apps in the Play Store are decoys and they provide something really important to the threat actors, which is the legitimate identifiers of Google Play Store Apps.
After a lot of research we discovered the presence of evil twins to those decoy apps. Those evil twins are not distributed in the Play Store, they spread through malvertising, and they are the apps responsible for the ad fraud.
SS: So, the evil twin apps offered “inventory” in the programmatic markets 10 billion times per day?
LK: Yes, and at first glance, it looks like the fraudulent traffic comes from these decoy apps because both the evil twins and the decoy apps use the same Google identifiers. We believe threat actors have developed a new and very sophisticated technique to host malicious apps outside of the Play Store.
SS: Is that what tipped you off that a unique type of malvertising was at work?
LK: We saw no ad fraud stemming from the decoy apps we downloaded from the Play Store itself. In fact, those apps do not show ads, even if they technically can support advertising. However, when we looked at third-party repositories, like VirusTotal and some others, we noticed that there were two APKs with the same name. To dig deeper, we looked at the hashes and saw they were different.
SS: What do you mean by hashes?
LK: Hashes are unique identifiers which are generated when a developer applies a hash function to a file’s contents. They act as digital fingerprints, so that when there are changes to a file, a new hash will be generated. Comparing hashes allows us to determine if two files with the same name are identical or different.
SS: So, were the different hashes the first clue?
LK: Yes, that was the first tip, and we began investigating from there. We thought this was interesting: two APKs with the same name but different hashes.
But the two APKs themselves were also really different; they weren’t even pretending to be the same app. The decoy APK in the Google Play store may be a car racing app, but its evil twin wasn’t. It was just stealing the legitimate Google identifiers of the decoy to commit ad fraud.
SS: How often were the decoy apps downloaded?
LK: Not very often; they averaged 10,000 downloads per app, which is nothing in the app world. This is one of the things that stood out to us: Apps with a small number of installs were generating a huge amount of IVT.
SS: Is the CaramelAds SDK inherently fraudulent?
LK: SDK has some vulnerabilities that allow threat actors to abuse it. If you’re looking for an SDK to monetize your mobile app, I suggest looking elsewhere until those vulnerabilities are fixed.
SS: At present, HUMAN has observed ad fraud only stemming from Konfety, but haven’t you noticed other things getting loaded on the user devices, such as a search tool and intent signals? What are the purposes of these things?
LK: To date, we have only observed ad fraud, but in the report, we describe other things, like intent filters, that were loaded onto the devices. These are links that pretend to open other applications, such as Zoom or TikTok. Certainly, those intent links can be used for other frauds that target the user, such as credential stealing or pushing other kinds of malware onto the device. We just didn’t observe that kind of activity to date.
Obviously, this is an ongoing threat, and one that we expect will evolve and we will continue to monitor.
SS: What advice do you have for AdOps teams so they can avoid the Konfety threat?
LK: The most important thing AdOps teams can do is to use an IVT monitoring tool or platform. Obviously, HUMAN offers one, but there are others. Campaigns like Konfety show that the threat actors are getting more sophisticated, making their threats very difficult to detect.
Uncovering the evil twins required an extremely complex investigation that AdOps teams might not have the time or skillset to conduct on their own.
The second thing I’d recommend is for AdOps teams to look at their past traffic. Do you see a lot of ads served to apps that have a small number of downloads? If yes, you might want to investigate it and share your findings with your partners. Sharing insights makes the industry safer.
As I said earlier, avoid using CaramelAds until they’ve fixed its vulnerabilities.
SS: The challenge, I think, is that fraudsters are often copycats. They see threat actors succeed with one tactic, in this case, decoys and evil twins, and they create their version of it. Does this mean evil twins in malvertising will be with us for a while?
LK: That’s likely, so AdOps teams must choose their SDKs wisely and work with only reputable companies. However, even then, threat actors may find new vulnerabilities to exploit, so monitoring IVT regularly is critical.
Cybersecurity has always been a game of cat and mouse, and Konfety is a great example of this. Threat actors were getting kicked out of the Play Store, so they found a way to commit fraud outside the official app stores.
SS: Final question: the report offers a great deal of technical descriptions, sample code, the domain names, the names of the decoy apps and so on. Where can readers access that report?
LK: It’s available online, at: https://www.humansecurity.com/learn/blog/satori-threat-intelligence-alert-konfety-spreads-evil-twin-apps-for-multiple-fraud-schemes