RAINBOWMIX Apps in Google Play Serve Up Millions of Ad Fraud Victims. Collectively, 240 fraudulent Android apps — masquerading as retro game emulators — account for 14 million installs. ... Most were simple retro games like Nintendo NES emulators, and used “packer” software to bypass protections.
Researchers with White Ops have uncovered a scam to deliver millions of out-of-context (OOC) ads through a group of more than 240 Android applications on the official Google Play store, which the team said were collectively delivering more than 15 million impressions per day at their peak.
The apps have since been purged from Google Play, but users should delete them off their phones as well. The full list is available here.
The apps worked the way they were supposed to, for the most part, making them all the more effective at hiding in plain sight. Most were simple retro games like Nintendo NES emulators, and used “packer” software to bypass protections. The apps would then deliver OOC ads disguised to appear as if they were from reputable sources like Chrome and YouTube, according to the White Ops team.
“The main tool in the adware developer’s arsenal are the packers,” Gabriel Cirlig, principal threat intelligence analyst for White Ops, told Threatpost. “They cloak and allow a threat to exist under the guise of intellectual property protection. However, once they passed any antivirus [protections] a user might have, the OOC ads were able to stay undetected for a period of time by pretending to be coming from popular applications and social-media platforms, such as YouTube and Chrome. Because of this, users think the ads are coming from legitimate platforms and do not get suspicious.”
The White Ops team of researchers, including Cirling, Michael Gethers, Lisa Gansky and Dina Haines, — who named the investigation “RAINBOWMIX,” inspired by the 8-16 bit color palate running throughout the retro game apps — found that these fraudulent apps were downloaded more than 14 million times by unsuspecting users.
The various applications’ reviews show there wasn’t a lot of attention being paid to the RAINBOWMIX group.
“Most of the RAINBOWMIX apps have a “C-shaped rating distribution curve (with primarily one- and five-star reviews, which is common with suspect apps),” the team reported.
All of the RAINBOWMIX apps were loaded with the Tencent Legu packer, they add, noting that some did give clues to their nefarious intent, if you looked hard enough.
“It is worth noting that even while packed, these apps exhibit some potentially suspicious behavior corresponding to the interstitial component of the ad SDKs, which are renamed with labels that point to well-known apps,” the researchers said.
Twenty-nine bad mobile apps with a combined 3.5 million downloads bombard users with out-of-context ads.
The Cerberus malware can steal banking credentials, bypass security measures and access text messages.
Android security - Learn what is security in Android, how to make your Android devices secure, what are security patches and how are they important.
Android projects with source code - Work on real-time android projects. We’ll start project ideas from beginners level and later move to advance projects.
A new Android malware strain has been uncovered, part of the Rampant Kitten threat group's widespread surveillance campaign that targets Telegram credentials and more.