Researchers: Gabi Cirlig, Michael Gethers, Lisa Gansky, Adam Sell
If you grew up with siblings, odds are you experienced some form of the classic kids’ aggravating “game” of copycat. The game usually came to an end when the copier got tricked into doing or saying something self-insulting or when they were tattled on to whomever was in charge.
It’s in that spirit that we named our latest Satori Threat Intelligence and Research investigation “CopyCatz”. The short version: we found a large number of apps on the Google Play Store that were mimicking notable apps to garner downloads, only to then trick the user into seeing a whole bunch of unexpected ads.
What’s really notable about the CopyCatz apps is just how many of them there were: we found 164 apps that shared this particular approach, with more than 10 million downloads among them. All of the apps have been removed from the Play Store as of this writing.
What It Did
The Satori team discovered that these apps contain code capable of displaying out-of-context ads under the com.tdc.adservice package. The apps’ behavior is controlled by a command-and-control JSON hosted on Dropbox (Note: Dropbox is another victim, not a participant, in the CopyCatz operation). The URL of the JSON differs from app to app, but the structure is very similar, indicating the frequency of the ads and the Publisher ID to be used.
The first app we spotted that triggered out-of-context ads—Assistive Touch 2020—is examined below. This app is a copy of a legitimate app, Assistive Touch. The app’s package name is a misspelled version of the official one, which is common to the apps in this operation.
|
App Name |
Assistive Touch 2020 |
|
Package Name |
com.teen.asasitivetouch.easytouch |
|
MD5 |
f5a170925701ca242975b7188343cb65 |
|
SHA256 |
ccd87882dff824165aded2cb6d0f8c2780471a0de1d1388f06ec13f08f0bf074 |
|
File Size |
8.15 MB |
|
Google Play Store Link |
https://play.google.com/store/apps/details?id=com.teen.asasitivetouch.easytouch |
|
Current Version |
1.0 |
|
Developer |
MoJetStudio |
|
Contact Email |
Mojetstudio@gmail.com |
|
Domain |
n/a |
|
Address |
Mojet Studio, Indonesia |
(click on any image in this post to enlarge)
Assistive Touch 2020 on the Google Play Store
Source: White Ops Threat Intelligence, November 2020
Interestingly, the apps didn’t really try to cover their tracks. All of them have the open-source Evernote job scheduler embedded inside used as a persistence mechanism (Note: Evernote is also a victim of this operation):
Evernote Job Scheduler embedded in the code
Source: White Ops Threat Intelligence, November 2020
A quick lookup for Evernote jobs led us to the entry point of the out-of-context ads controller located inside the AdsJob class. It’s worth noting that all of the code presented in this report is located inside the com.tdc.adservice package.
Entrypoint of the out-of-context ads controller
Source: White Ops Threat Intelligence, November 2020
Based on the configuration received from the server, the job displays either in-house ads or out-of-context interstitials.
Ad configuration settings
Source: White Ops Threat Intelligence, November 2020
The ads being displayed are retrieved dynamically from a JSON hosted in the cloud when the app is first launched, and then again at regular intervals.
Ad retrieval process
Source: White Ops Threat Intelligence, November 2020
It is then stored inside the shared preferences of the app with the data being proxied through the AppConfig class. By leveraging legitimate tools used by developers to establish persistence and instantiation of the out-of-context ads, the authors of the SDK managed to fly under the radar for at least two years with only one reference on VirusTotal.
One single detection on VirusTotal
Source: White Ops Threat Intelligence, November 2020
How It Worked
Once the app is installed, it reaches out to the command-and-control server mentioned above:
First connection to the C2, after installation
Source: White Ops Threat Intelligence, November 2020
The fullFrequency parameter seems to control how often the ads are displayed (in this example, every three hours). The inHouseEnable parameter determines whether ads to in-house products are displayed, and the platform from which the interstitial should be retrieved.
C2 communication across multiple apps
Source: White Ops Threat Intelligence, November 2020
After a grace period of a couple of hours (depending on the command-and-control server’s configuration), out-of-context interstitials started appearing on the device.
Capture of a Retrieved Interstitial
Source: White Ops Threat Intelligence, November 2020
The out-of-context interstitial excludes itself from the list of recent apps, and as soon as the user navigates away from it, it disappears. The previous activity on the stack was the phone’s launcher, as seen in the second part of the gif above. The network traffic, seen below, also associates it with the analyzed app, which was not running at all at the moment the ad popped up.
Network traffic capture
Source: White Ops Threat Intelligence, November 2020
What Do I Do?
Simply put, if you have one of the apps referenced in the Appendix below, remove it from your mobile device. Additionally, the Satori Team recommends blocking any apps that call ads from activities inside the package com.tdc.adservice.*. Even though platforms could choose to allow legitimate traffic from these apps by blocking only the out-of-context ads, the Satori Team recommends using the heavier-handed approach of blocking all the apps, since they were likely created very specifically to take advantage of the digital ecosystem.
When downloading a new app, make sure that you’re getting the real, official version of what you’re trying to get. Look at the reviews, not just the glowing five-star reviews, but also the one- and two-star reviews. Those are the ones that will call out ads that don’t belong and will alert you if something is amiss.
Appendix
Download the full list of apps associated with this investigation here. (txt file)
|
App Name |
App ID |
Installs |
|
3D Photo Editor |
com.vmins.frameefects |
50,000 |
|
3D Tattoo Photo Editor & Ideas |
com.softwalk.threedtattoo |
10 |
|
Applock 2020 - App Locker & privacy guard |
com.applock.meetink |
1,000 |
|
AppLock New 2019 – Privacy Zone & Lock your apps |
com.padgamestd.applock |
1,000,000 |
|
Assistive Touch 2020 |
com.teen.asasitivetouch.easytouch |
10,000 |
|
Audio Video Editor |
audiochin.com.mp3.cutter.ringtone.video.maker.trimmer |
10,000 |
|
Audio Video Mixer |
ttpjsc.com.mp3.cutter.ringtone.video.maker.trimmer |
1,000 |
|
Battery Saver Pro 2020 - New Power Saver |
com.lastwod.battery.saver.ram.cleaner |
100,000 |
|
Block Puzzle 102: New Tentris Mania |
com.tetris.blockpuzzle3d |
1,000 |
|
Chronometer |
com.chronometer.gnuh |
10,000 |
|
DJ Mixer Studio 2018 |
com.master.djsona |
1,000,000 |
|
GPS Speedometer |
com.lissandras.telannasi.free |
100,000 |
|
Graffiti Photo Editor - Graffiti Creator |
com.popperx.graffitiphoto2020 |
500 |
|
iSwipe Phone X |
com.goldese.controlcenter |
5,000,000 |
|
Lock app with Password - Applock All App Protector |
com.tklinkst.applock |
100,000 |
|
loudest alarm clock ever |
com.loudultrasound.alarmclock |
10,000 |
|
Lovedays Memory 2020 - Love Counter Together |
com.go2counter.lovedays |
500 |
|
Magnifier Zoom + Flashlight |
kr.xmatools.magnifier |
100 |
|
Max Cleaner - Speed Booster Pro 2021 |
com.pipgami.phonecleaner |
100 |
|
Motocross Racing 2018 |
com.ganplank.motorracing |
10,000 |
|
Name Art Photo Editor |
com.binkai.heartnameart |
10,000 |
|
Nox Cool Master - Cool Down 2020 |
cooling.cleanox.phone.cooler |
1,000 |
|
OS 13 Launcher - Phone 11 Pro Launcher |
com.launcher.ios13.ip11usa |
50,000 |
|
OS Launcher 12 for iPhone X |
com.landroid.ios12.ios12us |
100,000 |
|
Photo Editor Awesome Frame Effects 3D |
com.pipgamiz.photoeditor |
1,000 |
|
Rain Photo Maker - Rain Effect Editor |
com.goldxia.raineffect |
10 |
|
Repair System For Android & Speed Booster |
systym.rypyir.fyx.opyryting.systym.pryblym |
100 |
|
Ringtone maker - Mp3 cutter |
com.xmwork.ringmaster.maker |
1,000,000 |
|
Ringtone Maker Ultimate: New Mp3 Cutter |
com.castofworld.ringtonemaker |
100,000 |
|
Secure Gallery Vault: Photos, Videos Privacy Safe |
com.kovelp.securegallery |
50,000 |
|
Smart Cleaner-Battery Saver, Super Booster |
com.cleaner2020.myphone.pro |
1,000 |
|
Super Phone Cleaner 2020 |
com.phonecludner.memorycxeener.fsxtcharging |
1,000 |
|
Video Music Cutter & Merge Studio |
com.macthink.musictrimmer.mp3ringtonecutter |
100,000 |
|
Wifi File Transfer 2019 |
wifi.transfer.pops |
500 |
|
Wifi Key - Free Master Wifi |
com.heimerdinger.wifi |
100,000 |
|
Wifi Speed Test |
pth.speedtest.PeaSoft |
500,000 |
|
Wps Tester |
com.veigar.dravenpthis |
500,000 |
|
WPS WPA Wifi Test |
com.vendra.ivernwpswpa |
100,000 |
|
100 mb Internet Speed Test - Broadband Speed Test |
mb.speedtest.network |
-- |
|
2 Ways Call Recorder Automatic, Record Phone Calls |
com.skud.callrecorder.test |
-- |
|
3D Awesome Frame Effects |
com.gankmi.frameworkers |
-- |
|
3D Photo Frames Effects & 3D Art Photo Maker |
com.photo_frame.frame_maker |
-- |
|
Animals Sound Ringtones Real Free |
com.mikjay.animalringtones |
-- |
|
Anti WannaCry Virus - Android |
com.neufapps.antiviruswannacry |
-- |
|
Antivirus - Virus Remover |
com.ceberusni.antivirus |
-- |
|
Antivirus 2017 |
com.goldmob.antivirus.security |
-- |
|
Antivirus 2017 |
com.mobileagency.xray |
-- |
|
Antivirus 2017 |
com.mobiquev.antivirus |
-- |
|
Antivirus 2017 & Cleaner |
com.antivirus.freecleaner0021 |
-- |
|
Antivirus 2017 & Cleaner |
com.avast.antiviru |
-- |
|
Antivirus 2020, Cleaner & Booster |
com.toodoo.smart.cleaner.pro.top2020.virus |
-- |
|
Antivirus For Android |
com.uranusmobile.antivirus |
-- |
|
Antivirus Pro 2017 |
com.se7en.antivirus |
-- |
|
Assistive Touch 2018 |
com.volibears.assistouch |
-- |
|
Audio Video Editor Mixer 2019 - Video Cutter |
macthinkbox.mp3audioeditor.videomixed |
-- |
|
AV Antivirus 2017 |
com.tonyinc.antivirus |
-- |
|
Battery Doctor - Power Battery 2018 |
com.tools.padbattery |
-- |
|
Battery Doctor 2018 - Fast Charger |
plutanio.fastcharger.batterysaver |
-- |
|
Battery Saver - Fast Charging |
com.batterylife.battery |
-- |
|
Battery Saver - Saving Battry |
com.Connon.batterysaver |
-- |
|
Battery Saver Pro |
com.enverall.phone.optimize.battery.fastcharging |
-- |
|
BeanPro Antivirus |
com.beanpronew.antivirus |
-- |
|
Big Front - Change Front Size |
com.bigfont.aether |
-- |
|
boost clean (junk cleaner pro) |
com.junk.cleaner.phone.boost.security.speed |
-- |
|
Calculator |
ltc.razarthur.android.calculator |
-- |
|
Call Block Blacklist and Block SMS Easy |
com.tklinkmast.callblacklist |
-- |
|
Call Recorder For Android |
com.zuka.callrecorder.voice |
-- |
|
Chinese Chess |
com.xinzhao.chinesechess |
-- |
|
Clean My Android - Antivirus |
com.antivirus.cours.faradd |
-- |
|
cleaner booster -ultra security- |
speed.cleaner.junk.phone.security.boost.cleaner |
-- |
|
Collage Maker |
photo.mnxmax.collagemakerpro |
-- |
|
Control Center IOS 12 - Phone X Control Center |
com.goldese.phonrcontrolcenter |
-- |
|
Cool Master -CPU Device Cooler |
com.ktopgames.coolmaster |
-- |
|
Disk-clean-suite |
com.avast.clean |
-- |
|
Don't Stop Eighth Note |
com.cassiopei.shen |
-- |
|
Don't Stop Eighth Note |
com.fizzgaren.ryze |
-- |
|
Don't Stop Eighth Note 2 |
com.Dontstop.eightnote |
-- |
|
Don't Stop Eighth Note Zombie |
com.appsleon.dontstop |
-- |
|
Eighth Note |
com.tryndamer.nami |
-- |
|
Eighth Note V2 |
com.EighthNote.new |
-- |
|
Eighth Note: Yasuhati |
com.khapkamer.kali |
-- |
|
Fast Charger - Dr Battery 2017 |
com.kenpasea.saver |
-- |
|
Feeding Fish |
com.tony.fishes |
-- |
|
Followers - Unfollowers For Insta |
app.draven.unfollow |
-- |
|
free antivirus |
com.ANTIVIRUSAPP.ANTIVIRUSAPP |
-- |
|
Free Antivirus-Mobile Security |
com.namiprotect.antivirus |
-- |
|
Free VPN Proxy - Unlimited VPN & Wifi Security |
free.vpnmaster.alistar.proxy.anand |
-- |
|
Get Followers Up 2019 |
com.followers.getfollowers.followersinsta |
-- |
|
Get Followers Up 2020 |
com.follower.getfollowers.followersinsta |
-- |
|
GPS Navigation |
com.nakrothtoro.malochgildurgps |
-- |
|
Holy Bible |
com.omisego.action |
-- |
|
How Fast is My Internet - High Internet Speed Test |
mz.speedtest.internet |
-- |
|
Internet Speed Check 2019 |
hp.tonyinc.speedmeter2018 |
-- |
|
Internet Speed Test |
hp.leesin.leblanc |
-- |
|
Internet Speed Test |
internet.speedtest.wifi.analyzer.morganas |
-- |
|
Internet Speed Test APK |
ayoub.dev.wifi |
-- |
|
Internet Speed Test Free |
hp.minigone.checkinterneto |
-- |
|
Internet speedmeter check |
speedmeter2018.internetanalytics.testwifi |
-- |
|
K-Lock gallery picture & video |
com.kenpazi.securegallery |
-- |
|
Learn Excel 2019 |
usapp.den.dendidotoversion |
-- |
|
Learn Play Piano - Pianist |
com.qjoker.renlpianotenshen |
-- |
|
Lich Van Nien 2017 |
jp.cotts.lichviet |
-- |
|
Lịch Vạn Niên 2018 - Lịch Âm 2018 |
lb.alice.lichviet |
-- |
|
Lion Antivirus 2017 |
techmob.lion.antivirus.security.freeantivirus |
-- |
|
Loudest Volume Booster |
annie.fiddlestick.execution |
-- |
|
Love days counter |
com.mloves.countdays |
-- |
|
Male To Female Voice Changer |
com.sunnyapp.voicechanger |
-- |
|
Master Sudoku Offline Free 2018 |
sdkpro.sudoku |
-- |
|
Max Cleaner - Booster, Optimizer, Super Cleaner |
com.max.booster.cleaner.phone.memory.pro |
-- |
|
Memory Cleaner 2020 |
com.beoszei.mazzer.czeanez.czean |
-- |
|
Milab Music Player - All format audio files |
com.minplayer.musicmp3ring |
-- |
|
Mine Sweep - Free Miner Game |
violet.rammus.quinn |
-- |
|
Mp3 cutter – Video Cutter, Easy Ringtone Maker |
com.photovideo.maker.video.trimmer.mp3.cutter.ringtone |
-- |
|
MP3Cutter & Ringtone Maker 2020 |
com.rekcos.ringtonemaker |
-- |
|
New Full Battery Saver - Battery Manager & Cleaner |
com.drbattery.battery.saver.ram.cleaner |
-- |
|
Night Mode |
com.morgana.nightscreen |
-- |
|
Old Phone Ringtones |
com.ringtones2018.annie.alarms |
-- |
|
Optimiser Pro Cleaner Booster |
com.obtimizersupercleaner.antivirus |
-- |
|
Phone Booster |
goldmast.lovefaster.speedcleaner |
-- |
|
Phone Cleaner - Speed Booster |
nightcopo.cleanspeed.cleanjunk |
-- |
|
Phone Cooler - Cooling Master |
com.ritamobile.cooldownphone.cpucooler |
-- |
|
Photo Editor |
com.beststudian.photocollage |
-- |
|
Photo Frame Effects 3D |
com.kenpasx.framephotox |
-- |
|
QR Code Scanner - QR Reader |
com.Mobinet.scan |
-- |
|
Quick Ball |
com.goldenwd.assistouch |
-- |
|
Quick Photo Square - Insta Emoji 2019 |
com.kinvkep.instasquareemojisticker |
-- |
|
Recovery all photo deleted |
com.vttl.app7.restoreimages |
-- |
|
Scream Go - Eighth Note T-Rex |
com.dotsgame.eighthnote |
-- |
|
Secret Lock |
com.goldmast.applock |
-- |
|
Security Pro |
com.hilas.forsecuritypro |
-- |
|
Simple App Lock |
com.zooinc.applock |
-- |
|
Smadav antivirus 2017 |
com.smailapps.antivirus |
-- |
|
Smadav antivirus for android 2018 |
com.smallapp.antivirus |
-- |
|
Smadav pro Total security |
com.smartbapp.antivirus |
-- |
|
Sound Meter |
com.yornstone.mina |
-- |
|
Speed Test Internet - Speed Check |
hp.plutini.speedico |
-- |
|
speedtest net app |
inter.speed.test |
-- |
|
Sudoku 2 |
hp.sudoku |
-- |
|
Sudoku Basic For Beginners 2019 |
gemosm.sudoku |
-- |
|
Super Antivirus Cleaner 2020 |
com.jaybox.cleaner.security |
-- |
|
Super Cleaner - Phone Cache Cleaner, RAM Booster |
com.cleanbooster.ducleanerjungle.phonepro.info |
-- |
|
Super Loud Alarm Clock |
karthus.warhamme |
-- |
|
Super Loud Volume Booster |
com.veerajax.volumebooster |
-- |
|
Super Wifi Rounter - Who Is On My Wifi |
com.whenanalyzer.speedtxts.wifireuter.wifibeoster |
-- |
|
Super Wifi Rounter - Who Is On My Wifi |
com.wifibestusas.speedusas.wifibester.wifibestusa |
-- |
|
TV Antivirus Free + Applock |
toto.prosecurity |
-- |
|
Ultra Cleaner 2018 |
com.anti.antianti |
-- |
|
Unfollowers & Ghost Followers For Insta |
lux.elixir.unfollow |
-- |
|
Virus Cleaner - Antivirus 2018 |
jems.antivirus.security |
-- |
|
VPN Unlimited Proxy - Super VPN For Android |
free.vpnmaster.leBlanc.proxy.anand |
-- |
|
WiFi Toolbox |
net.appstyl.wifi.booster.analyzer |
-- |
|
WPS Tester |
com.veigar.ivernwpswpa |
-- |
|
انفالوياب اينستاگرام |
instapersan.youch.unfollow |
-- |
|
-- |
com.adrocklink.batterysaveras |
-- |
|
-- |
com.maloch.colorballsnbl |
-- |
|
-- |
com.miyoo.miyoubaidian |
-- |
|
-- |
com.vttl.app7.restoreimaget |
-- |
|
-- |
com.xmwork.ringmaster.makes |
-- |
|
-- |
elphitamine.controlcenter |
-- |
|
-- |
free.vpn.super.proxy.anou |
-- |
|
-- |
hp.toolbox.speed |
-- |
|
-- |
lulu.drmundow2017 |
-- |
|
-- |
speed2018.mohamad.alyousef |
-- |
