“Imitation is the sincerest form of fraudery (sic)” – opened White Ops researchers Gabi Cirlig, Michael Gethers, Lisa Gansky and Adam Sell in a Satori Threat Intelligence and Research investigation they call ‘CopyCatz’. What they discovered are 164 apps on the Google Play Store “that were mimicking notable apps to garner downloads, only to then trick the user into seeing a whole bunch of unexpected ads”.
Quite notably, the said fraudulent apps have garnered more than 10 million downloads, although they have already been removed from the Play Store. However, White Ops still warn that the apps contain a code capable of displaying out-of-context ads under the com.tdc.adservice package that they discovered.
White Ops first observed such triggered out-of-context ads in the app called ‘Assistive Touch 2020’, a copy of a legitimate app, Assistive Touch. The imitation app has a package name of com.teen.asasitivetouch.easytouch - a misspelt version of the official one, which is common to the apps in the CopyCatz operation.
Describing what the imitation apps did, White Ops said that the apps’ behaviour is controlled by a command-and-control JSON hosted on Dropbox (another victim of the operation). In addition, the URL of the JSON differs from app to app but the structure is very similar, indicating the frequency of the ads and the Publisher ID to be used.
White Ops also found that the ads being displayed are retrieved dynamically from a JSON hosted in the cloud when the app is first launched and then again at regular intervals. “By leveraging legitimate tools used by developers to establish persistence and instantiation of the out-of-context ads, the authors of the SDK managed to fly under the radar for at least two years with only one reference on VirusTotal”, added White Ops.
Once unsuspecting users install the fraudulent app, it reaches out to the command-and-control server, and then the out-of-context ads will start appearing on the device. White Ops also noticed that the out-of-context ads exclude itself from the list of recent apps and as soon as the user navigates away from it, it disappears.
White Ops remind users that if you have one of the apps referenced in their list, remove it from your mobile device immediately. The Satori researchers also recommend blocking any apps that call ads from activities inside the package com.tdc.adservice.
“When downloading a new app, make sure that you’re getting the real, official version of what you’re trying to get. Look at the reviews, not just the glowing five-star reviews, but also the one- and two-star reviews. Those are the ones that will call out ads that don’t belong and will alert you if something is amiss”, concluded White Ops in their investigation.