A classy cell advert fraud operation dubbed “SlopAds” has infiltrated Google Play Retailer with 224 malicious purposes that collectively amassed over 38 million downloads throughout 228 international locations and territories.
The marketing campaign represents some of the in depth cell fraud schemes found thus far, using superior steganography strategies and multi-layered obfuscation to ship fraudulent promoting payloads whereas evading detection mechanisms.
The risk actors behind SlopAds demonstrated exceptional sophistication by implementing a conditional fraud system that solely activated when customers downloaded apps by way of particular promoting campaigns, relatively than natural Play Retailer visits.
This selective activation mechanism helped the malicious purposes preserve their presence on the platform for prolonged intervals whereas showing professional to informal customers and automatic safety methods.
Human Safety analysts recognized the operation whereas investigating anomalous patterns of their Advert Fraud Protection answer information.
The researchers found that SlopAds purposes had been producing roughly 2.3 billion fraudulent bid requests day by day at peak operation, with site visitors distribution closely concentrated in the US (30%), India (10%), and Brazil (7%).
International distribution of SlopAds-associated site visitors (Supply – Human Safety)
The marketing campaign’s international attain and big scale underscore the risk actors’ subtle infrastructure and operational capabilities.
The malicious purposes employed Firebase Distant Config, a professional Google improvement device, to retrieve encrypted configuration information containing URLs for downloading the first fraud module referred to as “FatModule.”
This abuse of trusted improvement platforms demonstrates how cybercriminals more and more leverage professional providers to masks their malicious actions and keep away from detection by safety options.
Superior Steganographic Payload Supply System
SlopAds employed a very modern payload supply mechanism that showcased the evolving sophistication of cell malware operations.
The system utilized digital steganography to cover malicious code inside seemingly innocuous PNG picture recordsdata, successfully bypassing conventional safety scanning strategies that target executable file evaluation.
SlopAds operation (Supply – Human Safety)
When an contaminated software handed preliminary verification checks, command-and-control servers delivered 4 specifically crafted PNG recordsdata by way of encrypted ZIP archives.
These photos contained hidden APK elements that, when decrypted and reassembled, fashioned the entire FatModule accountable for executing the fraud operations.
The steganographic strategy allowed the malicious payload to traverse community safety filters and software retailer scanning methods with out triggering standard malware detection algorithms.
The FatModule included a number of anti-analysis options, together with debugging device detection that particularly looked for hooking frameworks, Xposed modules, and Frida instrumentation instruments generally utilized by safety researchers.
Moreover, the module employed string encryption all through its codebase and utilized packed native code to obscure its true performance from static evaluation instruments.
public static Boolean m45535a() {
attempt {
StackTraceElement[] stackTrace = Thread.currentThread().getStackTrace();
for (StackTraceElement component : stackTrace) {
String className = component.getClassName() + “#” + component.getMethodName();
if (className.toLowerCase().comprises(“hook”) ||
className.toLowerCase().comprises(“xpose”) ||
className.toLowerCase().comprises(“frida”)) {
return true;
}
}
} catch (Exception e) {
e.printStackTrace();
}
return false;
}
The fraud execution occurred inside hidden WebViews that collected complete gadget fingerprinting information, together with {hardware} specs, community data, and GPU particulars.
This data enabled exact concentrating on whereas the hidden interfaces navigated to risk actor-controlled cashout domains, producing fraudulent commercial impressions and clicks with out consumer consciousness or interplay.
Google has since eliminated all recognized SlopAds purposes from the Play Retailer, and customers obtain computerized safety by way of Google Play Defend, which warns towards and blocks set up of recognized malicious purposes even from third-party sources.
Free dwell webinar on new malware ways from our analysts! Study superior detection strategies -> Register for Free
