White Ops discovers 29 fraudulent apps on Google’s app store
According to Ryan Murray, Director, Asia Pacific, White Ops, his company’s mission is to keep the Internet, human. He shares more in an interview with Enterprise IT News
EITN: White Ops detected 29 fraudulent apps recently. How did they evade detection by Android’s app store?
Ryan: It is the conundrum faced by the cybersecurity industry as a whole: entities must block every single attack but the threat actor needs only to evade detection once to be successful. Android’s Play Store has a rigorous detection program and a portion of these apps were already taken down prior to our research. All of the 29 apps were taken down from the Play Store prior to our publication.
White Ops Threat Intel searches for unique attack techniques in order to identify sets of apps that have these same traits, in order to improve our software and protect our customers. White Ops Threat Intel, as most do in the cybersecurity community, shares its findings with the affected entities before sharing the information publicly. Our mission is to keep the Internet human and we believe that includes educating our customers and Internet users on the ever-evolving ways threat actors are trying to evade detection.
EITN: Are the app publishers any organisation that is legitimate?
Ryan: Given that none of the mobile apps had any real functionality, meaning they did not function as advertised (ie. to blur sections of an image), White Ops believes the app publisher(s) were not legitimate and created the apps solely to commit ad fraud
EITN: How did White Ops discover these fraudulent apps?
Ryan: White Ops humans include talented Detection and Threat Intelligence subject matter experts whose role is to research and discover not only fraudulent apps but any emerging tactics and techniques being utilized to commit fraud online. With this unique team in the bot mitigation space, we are able to better protect and educate our customers and the greater community and constantly improve our platform. For more information: https://www.whiteops.com/products/platform
EITN: How can these apps be removed from phones?
Ryan: These apps also remove their launch icons shortly after installation, making it challenging for users to remove the app. In this way, the threat actors maintain persistence on the device in order to continue to profit from the out-of-context ads. Users need to go into the device’s Settings menu, locate the list of installed apps, and remove the app there.
EITN: What were these apps’ objectives? Just to display ads?
Ryan: The app’s main objective is to simply bombard the user with interstitial (full-screen) out-of-context (OOC) ads. The apps also launched an OOC web browser at random intervals while the user uses their phone, again with the objective of showing ads. Screenshots and a video of this behavior are included in our company blog post.
EITN: What is the ChatreuseBlur investigation?
Ryan: The White Ops Satori Threat Intelligence and Research Team identified a set of mobile apps that manifested suspiciously high volumes of ad traffic during their threat hunting investigations. After looking more closely at those apps and their similarly-developed counterparts, White Ops discovered 29 apps with code facilitating out-of-context (OOC) ads as well a pretty clever way to evade detection.
White Ops dubbed this investigation CHARTREUSEBLUR: the majority of apps include the word “blur” in their package name, and many purport to be photo editors allowing a user to blur sections of the image. The “chartreuse” part, well, that’s just because the security researcher who named the investigation just liked the word.
About the Chartreuseblur apps: The threat actors used a 3-stage payload to try (unsuccessfully) to evade detection, meaning the out-of-context ad code was not visible upon first view (by either an automated code checker or a security researcher). The threat actor used both a code packer (a tool to compress computer code) and a stub app (a placeholder for future code) to try to evade detection. It is useful to note that these techniques have valid purposes in developing and testing mobile applications, but can also be used for illicit reasons
EITN: How cam one avoid dubious apps like these in future, apps that seem harmless but can evade screening by the app store?
Ryan: Mobile apps can also be downloaded through dubious 3rd party sites. These sites may seem harmless but have virtually no checks for fraudulent or malicious code. White Ops recommends that users stay clear of these sites and only use authorized sites for mobile apps, like Google’s Play Store or Apple’s App Store.
It will take a whole community, including users, to disrupt the economics of cybercrime and keep the Internet human. With posts like these, White Ops hopes to educate users on how to spot fraudulent mobile apps.
One way is to look for a C-shared app rating distribution (an example of this is shared in the blog post) or look for many recent negative reviews. Threat actors purchase fraudulent reviews or use bots to install the apps in order to look legitimate. But when actual humans install and use the app, honest information is available.
Here are some questions a user can ask to help identify potential fraudulent ones:
Do the reviews talk about ads popping up all the time?
Do the reviews talk about the app disappearing or being unable to uninstall it?
Do the reviews have a lot of complaints that the app doesn’t work as advertised?
Are there a lot of 5-star reviews but the recent reviews are mostly 1-star?
Does the app publisher have a lot of downloads in a very short amount of time?