Morioh
Login
Micheal Block

Micheal Block

3 years ago

Researchers with White Ops have uncovered a scam to deliver millions of out-of-context (OOC) ads through a group of more than 240 Android applications on the official Google Play store, which the team said were collectively delivering more than 15 million impressions per day at their peak.

The apps have since been purged from Google Play, but users should delete them off their phones as well. The full list is available here.

The apps worked the way they were supposed to, for the most part, making them all the more effective at hiding in plain sight. Most were simple retro games like Nintendo NES emulators, and used “packer” software to bypass protections. The apps would then deliver OOC ads disguised to appear as if they were from reputable sources like Chrome and YouTube, according to the White Ops team.

“The main tool in the adware developer’s arsenal are the packers,” Gabriel Cirlig, principal threat intelligence analyst for White Ops, told Threatpost. “They cloak and allow a threat to exist under the guise of intellectual property protection. However, once they passed any antivirus [protections] a user might have, the OOC ads were able to stay undetected for a period of time by pretending to be coming from popular applications and social-media platforms, such as YouTube and Chrome. Because of this, users think the ads are coming from legitimate platforms and do not get suspicious.”

The White Ops team of researchers, including Cirling, Michael Gethers, Lisa Gansky and Dina Haines, — who named the investigation “RAINBOWMIX,” inspired by the 8-16 bit color palate running throughout the retro game apps — found that these fraudulent apps were downloaded more than 14 million times by unsuspecting users.

**How RAINBOWMIX Infiltrated User Devices **

The various applications’ reviews show there wasn’t a lot of attention being paid to the RAINBOWMIX group.

“Most of the RAINBOWMIX apps have a “C-shaped rating distribution curve (with primarily one- and five-star reviews, which is common with suspect apps),” the team reported.

All of the RAINBOWMIX apps were loaded with the Tencent Legu packer, they add, noting that some did give clues to their nefarious intent, if you looked hard enough.

“It is worth noting that even while packed, these apps exhibit some potentially suspicious behavior corresponding to the interstitial component of the ad SDKs, which are renamed with labels that point to well-known apps,” the researchers said.

#malware #mobile security #web security #8-16 bit color palate #ad fraud #android #emulator #google play #malicious ads #malware #nintendo #ooc ads #out of context ads #rainbowmix #retro games #white ops

RAINBOWMIX Apps in Google Play Serve Up Millions of Ad Fraud Victims

threatpost.com

RAINBOWMIX Apps in Google Play Serve Up Millions of Ad Fraud Victims

RAINBOWMIX Apps in Google Play Serve Up Millions of Ad Fraud Victims. Collectively, 240 fraudulent Android apps — masquerading as retro game emulators — account for 14 million installs. ... Most were simple retro games like Nintendo NES emulators, and used “packer” software to bypass protections.

1.30 GEEK