CyberWire Daily - Day to day app fraud in the Google Play store. [Research Saturday]
Episode Date: July 27, 2019Researchers at bot mitigation firm White Ops have been tracking fraudulent apps in the Google Play store. These apps often imitate legitimate apps, even going so far as to lift code directly from them..., but instead of providing true functionality they harvest user data and send it back to command and control servers. Marcelle Lee is a principal threat intel researcher at White Ops, and she shares their findings. The original research can be found here — https://www.whiteops.com/blog/another-day-another-fraudulent-app Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps, not the entire network, continuously verifying
every request based on identity and context, simplifying security management with AI-powered
automation, and detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
To have an app in the Google Play Store, actually, there isn't a huge barrier to entry for that.
That's Marcel Lee. She's a principal threat intel researcher at White Ops.
The research we're discussing today is titled Another Day, Another Fraudulent App.
There's a lot of apps that we've come across that, you know, they don't have like a known website or, you know, it's not like Zynga. It could be, you know, Marcel. Marcel.com
has created some apps. So basically they just joined the Google Developer Network and most
of the exchange between the developer and the Google Play Store is done via API access.
But yeah, like I said, the barrier to entry is
pretty low. And Google, of course, does monitor for bad activity, but it's like everything else
in this field, whackable. It's almost impossible to keep up with everything that's being placed
in the Play Store. And so you all set your sights on this app that's called Crazy Brainstorming.
First of all, describe to us, what does this app claim that it's going to do for you when you download it?
Crazy Brainstorming is a game kind of app and basically like a brain teaser puzzles and that sort of thing.
That's what it was purported to do.
It didn't really function particularly that way as we reveal within the course of our research.
But ostensibly, that's what it was meant to be doing.
And so I see this app.
I think this is something I might be interested in.
And I download it.
What happens next?
When you install the app, it goes through a sort of interesting series of it will launch and put the icon on your desktop or your mobile app screen.
launch and put the icon on your desktop or your mobile app screen. And then it basically goes through this self-deletion process or what appears to be a self-deletion process. So the app icon
goes away. You won't find the app listed in your list of apps anymore, but it is actually still
there. It just makes it so it's almost impossible for the average user to remove it.
So why does it do this?
It's kind of a good question, right?
And really, the main thing that this app seems to be doing is delivering ad content and also
redirecting users to what appears to be, in our estimation, a malicious website.
And so with White Ops, that's something that we are particularly focused on is
looking for ad fraud, we work within that advertising
ecosystem. And there's actually, and I don't know, like the
actual dollars involved, but there's lots and lots of money
that's lost to ad fraud. So when I say ad fraud, I mean, like an
advertiser will pay for human clicks on a link or things
like that.
And then people like the developer of this app will cause ads to appear in ways that
are sort of not proper, if you will, in terms of how they are displayed and how they appear
to the user.
So there's many different flavors of ad fraud.
And at YDOPs, we go by, there's actually a taxonomy from a group called TAG.
It's the Trustworthy Accountability Group.
And to sort of put it in context of like cybersecurity, it's almost like an ISAC for advertising industry.
So it's like the same kind of things, but not exactly the same industry, if you get what I'm saying.
Yeah.
Tag puts out this invalid traffic taxonomy, and it has a variety of different categories of what's considered invalid traffic.
And you have general invalid traffic and then sophisticated invalid traffic.
So that's the kind of things that we're looking for that fall under these categories. And then similarly, from more of a
true cybersecurity perspective, we also use the MITRE mobile attack framework to categorize that
sort of malicious activity. So we combine those when we're doing the analysis of these apps.
This app installs itself, it hides itself, and then it's using, do I have the pronunciation
right? The TwoShoe software development kit is what's running under the hood? it hides itself and then it's using do i have the pronunciation right the two shoes software
development kit is what's running under the hood yes that is what's running into the hood and your
guess on pronunciation is as good as mine we call it tissue also but yeah so the tissue sdk is really
the brains behind the whole thing there are other sdks within the app but this was the one that was
really creating most of the malicious activity,
things like the ad behavior. And then the other piece is where the app launches this game center
thing that looks like an app and it appears on the screen as an app icon, but it literally is
just a browser shortcut, not an actual app. And the tissue is behind all this activity as well.
And this is the part where the user is.
They click on that directed to the website that we discovered that was associated with
all this.
Yeah, it's interesting to me that in your research, you found that the ads are triggered
by a bunch of different activities with a mobile device.
Things like connecting or disconnecting
from a Wi-Fi network. What are the things that it's being triggered by and why do you suppose
it's interested in those changes of state? Basically, it's interested in those changes
of state because it means that the user is actively on the device and is therefore going
to probably see an ad that pops up. So it does these full screen ads that are completely out of context from the app. Like the ad pops up, you have absolutely no idea as a user
where it came from and you wouldn't necessarily be able to tie it back to the crazy brainstorming
app because as far as you knew on your phone, that was like not even on there anymore, right?
It looks like it disappeared. So they're not trying to hide the ads behind things. They are
actually displaying the ads. Absolutely displaying the ads, which is the to hide the ads behind things. They are actually displaying the ads.
Absolutely displaying the ads, which is the hiding of the ads is another type of ad fraud where, you know, basically are showing a bunch of ads that nobody ever sees.
But these ones are seen and they're very invasive, too, because they're popping up full screen, as I said, and it's hard for the user to get around them.
And it's hard for the user to get around them.
Pretty much the average user is going to probably click on the ad just trying to get rid of it.
And that's what's going to often take them to the other website.
And that's when they make their money, I suppose.
Yeah, they make the money from the ads. And then also there's even more crazy ad stuff happening on the website as well.
But yeah, so things like network connectivity changes,
the home key being pressed, unlocking the phone. These are all, you know, user
probably initiated activities and would all give rise to an ad appearing.
This crazy brainstorming app, it downloaded another app. It was sort of functioning as a dropper.
So it wasn't actually another app. It just had the appearance of an app. So it looked
like something was installed called Game Center on the screen of the device. But in actuality,
it was just a browser shortcut. So just imagine it was a hyperlink hidden behind an icon.
And so as soon as you click that,
you didn't actually launch an app.
You just opened a website.
And what was at that website?
So that was the H5 Games website.
And there were various different sort of iterations,
but h5games.top was the one
that we did most of our research on.
Now we're talking about a traditional website
and it's called Game Center.
It appears to be a website
that just has games for you to play
and lots of advertising too, of course.
And some of the advertising was legit,
but a lot of it was somewhat less than legit,
I guess I'd say.
And then the games themselves,
when you tried to actually play a game on this website, it didn I'd say. And then the games themselves, when you tried to actually play a
game on this website, it didn't really work. It was really laggy or you would click on things and
nothing actually happened. So the game aspect of it didn't really seem to be legit at all.
Were they trying to download malware onto your system as well?
Yeah. So this was actually pretty crazy.
I don't think I've ever seen a website quite this busy with trying to install things on
your computer.
There was just a lot of pop-up ads.
And some of the ones that we saw were, there was this thing called Doc2PDF, which was ostensibly
an application that would allow you to convert, like I say, a Word doc to a PDF.
And that one, I think we have a screenshot in the blog about it.
The permissions of this particular file requested were kind of crazy, right?
Just accessing all kinds of information and reading and modifying bookmarks, storing client data.
So that was one example.
But there were many, many different ads that kept popping up.
And it was kind of funny, Dave, because like almost all of these,
they were either like an executable
that you would download
or they were a browser extension.
And the browser extensions were often bundled with,
you know, their own little search engine or whatever.
So if you started to download all these,
you would basically have like
all these different browser extensions
that were like kind of tripping over each other,
trying to be the search engine of choice. So try push each other out yeah ahead of the line exactly so it
was kind of funny when you say this was these were trying to download executables i mean we're on a
mobile device are these desktop executables or are these things to designed to run on the mobile
device so these are actually desktop executables which is sort of interesting because you know you would think it's not really going to work on a mobile
device so the only thing i can think with that really is i did see some suggestions when the
site was still up that you could use this app in an emulated device on like your windows desktop
computer so say you're running some
kind of Android emulator to play games, which apparently is a thing that people do. It's
not a thing that I do. But yeah, so if you were doing this on a Windows desktop, then
absolutely these executables would impact you. But I mean, overall, it didn't seem terribly
well thought out from that aspect of it. And another thing that kind of pointed to being kind of, I don't know, low level player for
Nubish was the advertisements when you clicked on them and the website, they would just launch
within that same tab and window. And if you actually wanted to go back to the website,
you had to do that. You had to hit back. And websites don't render ads that way,
right? They don't want you to go off to another site and then lose your attention. So that was
a bit of an anomaly in terms of just sort of normal behavior.
Now, in terms of the actual crazy brainstorming app, you all dug in there and you found that
it was likely borrowing code from a legit app? Yes.
We discovered a bunch of references within the code to this other company, basically, and their app.
And when we dug into that,
we discovered that it was a legitimate company,
at least it appeared to be.
And, you know, they had a number of games.
And so we did this code comparison
and turned out that like at least 70% and probably more of the code was exactly the same.
And the crazy brainstorming game part as in this app from Renton.
So basically they just lifted the code from another game, but it didn't work very well because it kept like the code was so copied that it was calling back to the legit company for information.
And it just didn't work.
Walk through this with me, my line of thinking here, because it sounds like the crazy brainstorming
app never actually runs. You can't actually play crazy brainstorming on your device because the
first thing it does is it hides itself. So do we suppose that that code is in there
to get it past code review?
It could be.
I'm speculating here because I don't really know,
but that would make sense,
trying to get past code review
or just to at least have the appearance of a real game.
Because, I mean, there is, before it deletes itself,
it drops that Game Center shortcut.
And you could theoretically play it for a bit there.
But like we said, it doesn't really work.
So yeah, it's a bit odd because really the delivery seems to be of primarily the ads,
which never really stop.
And then the redirection to the website that we talked about.
I don't know.
It didn't seem terribly sophisticated in terms of being able to see exactly
like what the purpose was of this thing.
So it also leaves me scratching my head
that there were over a million downloads of this.
Yeah.
In like a month.
Yeah.
Well, and are there no reviews?
I don't know about you,
but before I download an app,
I generally check the reviews and I can't imagine about you, but before I download an app, I generally check the reviews.
And I can't imagine there would be positive reviews for an app like this.
So any insights there?
So this is a bit of a mystery to our team as well.
We haven't quite worked out how an app like this can show that it has a million downloads.
We doubt that it legitimately had a million downloads.
So there must be some way to spoof that.
And that part we haven't figured out yet.
But we've seen this with other apps.
And it's just, it makes no sense for an app of this nature
to be on the Play Store for a month
and get a million downloads.
MARK BLYTHEUS HENRY FAULKNER, JR.: I see.
MELANIE WARRICK- Unless the other thing
is, do they have bots driving
the activity? And really, it was a million downloads. So yeah.
But they're using that display of a million downloads as a misdirection for people to say,
oh, well, if a million people downloaded this, it must be good.
Exactly. And we've seen that with other apps too. So I don't know how they do it,
but I would definitely say it's a spoofed figure, not real.
Okay. other apps too. So I don't know how they do it, but I would definitely say it's a spoofed figure, not real. So yeah, you bring up a good point because I try to caution people all the time about being careful about what they are downloading on their phones, because I think
the average person tends to think if it's coming from the Play Store or the iTunes store, then it's
probably legit. And that just isn't the case, right? So,
like you said, looking at the reviews is a good way. And this app did not have good reviews at
all. People were like, it doesn't work. It's nothing but ads, or things that were true.
And then if you look at the developer, that's something that I'll look at as well. And in this
case, the developer was a Linda Wang, which is sort
of weird. Usually it's like a company name, not a person's name. Their contact information
was just a random Gmail address. All these are things that would be red flags to me.
Like I want to see like a known developer and like an actual website that I could go
to to check them out as opposed to this sort of thing.
Now, suppose somebody downloads this, it's on their mobile device.
Was there any hope of your average mere mortal removing it?
It would be really tricky for the average person to do it because, like I said, the icon itself disappears,
so you can't do the little like finger drag to uninstall.
And it doesn't show up in the list of apps either.
So you would basically have to go into like settings somewhere where apps were listed in another capacity and remove it that way.
But it wouldn't be an easy thing to do.
Yeah. All right. Well, what are your recommendations then for folks to
protect themselves against this? I mean, what are the red flags?
Well, some of the things I said before you even download it, but once you've downloaded an app,
you're going to get a notification of what sort of permissions that app wants. This is another area
to be cautious because if it's like, say, a crazy brainstorming game app and it wants to know where you're located and, you know, there's different locations to like general versus sort of like a very granular.
Does it want access to all your contacts?
So on and so forth.
There's a lot of like sort of permission red flags for me. I also recommend that everybody has antivirus or anti-malware installed on their mobile devices
because that saved me more than one time in terms of not getting dinged by an app that was malicious
or a website too. It'll usually protect you from bad browsing stuff. So I always recommend that.
And it's surprising, Dave, hardly anybody I know ever has that on their phones.
Yeah, it's interesting. I think folks have a little false sense of security.
I think they think that these app stores are going to protect them. And that's not always the case.
Yeah, it really isn't. It's just like I said before, a whack-a-mole. There's just too much out there to keep on top of.
So, yeah, it's pretty interesting. And I will say it's a general rule of thumb. Like, I don't recommend installing apps that are flashlights.
Flashlight apps are notorious for carrying malware with them.
And most phones already have flashlights, so it's a little redundant anyway.
Also, a lot of apps that say that they're antivirus
are sometimes malware as well.
So again, you have to be careful.
Like, who is that publisher of that app?
You know, is it coming from a known antivirus company or is it coming from
Linda Wang? So there's things to look out for.
Our thanks to Marcel Lee from White Ops for joining us.
The research is titled Another Day, Another Fraudulent App. We'll have a link in the show notes.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide.
ThreatLocker is a full suite of solutions designed to give you total control,
stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and securely. Visit ThreatLocker.com today to see how a default deny approach can keep your company
safe and compliant. The Cyber Wire Research Saturday is proudly produced in Maryland out
of the startup studios of Data Tribe, where they're co-building the next generation of
cybersecurity teams and technologies. Our amazing CyberWire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe,
Chris Russell, John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening.