Evil twins. Decoys. An abused and misused SDK named after candy.
It's like a dark fairytale, isn’t it? But this is no fiction. It's a cunning mobile advertising fraud campaign that peaked at 10 billion bid requests per day before HUMAN’s Satori Threat Intelligence and Research team disrupted it.
The scheme, named Konfety by the Satori team, involved an advertising SDK called CaramelAds and an “evil twin” evasion method to operate undercover. The threat actors maintained non-malicious “decoy” applications on the Google Play Store, all of which used the CaramelAds SDK—not inherently malicious in and of itself. The 250+ apps gave the illusion of being owned by different developers, even though many are template-based games, most of which the Konfety actors owned. In addition, HUMAN observed that the actors were also re-selling inventory for applications they do not own directly.
As soon as HUMAN’s Satori Threat Intelligence team identified this activity, it started to flag high-confidence traffic sourced from these applications. After implementing countermeasures to protect our customers, we immediately began observing adaptations in the ad networks targeted by the malware; the threat actors switched their targets to ad networks not protected by HUMAN. Those who have partnered with HUMAN for pre-bid mitigation and post-bid detection can rest assured that they are fully protected from Konfety's impacts, providing security in the face of such threats.
According to Google, Google Play Protect warns users and disables apps identified to be "Evil Twin" apps. Google has been actively monitoring the variations and protecting users over the course of its existence.
Check out our report if you want to explore more technical details and understand the expertise of the Satori team.
Malvertising, Click-Baiting, and Drive-By Attacks, Oh My!
So, how was the Konfety group able to deploy its devious scheme?
The threat actors abused the CaramelAds SDK to simultaneously create a stripped-down version of the SDK without GDPR consent to produce the evil twins, which fraudulently generate ads using the publisher accounts from the Google Play Store apps. The fraudsters created these “evil twins” in massive numbers—something previously never before seen—and infected users via malvertising, click-baiting, and drive-by attacks. The evil twins then:
Both the decoys and the evil twins used the CaramelAds SDK. However, they used different domains for C2, with some hosted by the same IP address as other CaramelAds infrastructure. The decoy apps contained the “full” version of the SDK, which includes a GDPR consent notice. Evil twins only downloaded the SDK as part of a second stage once the application was fully set up and used a pared-down version of the full SDK, with only the necessary components to render out-of-context ads. All the debug outputs and GDPR consent screen were absent.
Let’s take the ad fraud component of Konfety as an example. From an app user's perspective, imagine getting a request asking if you want to open a Wikipedia article in the app. The Konfety actors would use this technique to hijack your phone screen and then:
Cleaning up the Konfety
The Konfety campaign demonstrates a new, innovative way cybercriminals conduct ad fraud operations. The evil twin method aims to circumvent official app store rules to enable criminal activity.
Before the HUMAN Satori team uncovered Konfety, the scheme peaked at 10 billion daily fraudulent bid requests. The campaign affected multiple entities across the advertising ecosystem, including ad networks, and could have affected developers unknowingly using the CaramelAds SDK.
While the HUMAN Satori team could not tell how many evil twin downloads occurred, it has developed signatures for the Konfety scheme. We are also tracking any additional apps in openly available repositories, but the team did not observe the Konfety threat on iOS. We have also provided our detection and signature insight to external partners. As a result of these efforts, fraudulent bid requests have substantially decreased.
HUMAN is dedicated to protecting the integrity of the internet and the authenticity of advertising. We work to define industry standards and advocate for adoption to protect the ever-evolving ecosystem.
If you’re part of the programmatic advertising ecosystem and want to harness HUMAN’s industry-leading protection, contact us today.