• by Laurie Sullivan  @lauriesullivan, January 14, 2021

White Ops, an ad verification, bot detection and cybersecurity firm, has identified a large number of apps that mimic well-known apps on the Google Play Store to garner downloads, only to then trick the user into seeing many unexpected ads.

The name of the latest Satori Threat Intelligence and Research investigation, CopyCatz. White Ops found 164 apps, with more than 10 million downloads among them. All were removed from the Play Store.

The apps contained code capable of displaying out-of-context ads. “The apps’ behavior is controlled by a command-and-control JSON hosted on Dropbox (Note: Dropbox is another victim, not a participant, in the CopyCatz operation),” wrote investigators in the Satori Threat Intelligence and Research Team. “The URL of the JSON differs from app to app, but the structure is very similar, indicating the frequency of the ads and the Publisher ID to be used.”

The first app spotted that triggered out-of-context ads — Assistive Touch 2020 — is a copy of the legitimate app, Assistive Touch. The name is misspelled, which is common, and that is how the team partially identified the fake.

The apps did not try to cover their tracks, the team wrote. All had the open-source Evernote, which also became a victim, and a job scheduler embedded inside used as a persistence mechanism.

The ads displayed in these fake apps either serve an in-house ad or out-of-context interstitials, based on the configuration received from the server.

Then it is stored inside the shared preferences of the app with the data.

By leveraging legitimate tools used by developers to establish persistence and use of other names that represent something else in the out-of-context ads, the authors of the SDK managed to fly under the radar for at least two years with only one reference on Virustotal. Once the app is installed, it reaches out to the command-and-control server. The ad then starts appearing on the device.