Researchers from the Satori Threat Intelligence group at HUMAN company have found an adware in 75 apps on Google Play and 10 more in the Apple App Store. In total, this adware has been installed more than 13 million times.
Experts informed Google and Apple of their findings, and all malicious applications have already been removed from the official Android and iOS stores. Let me remind you that we also talked about, that Raspberry Robin Worm Discovered in Networks of Hundreds of Organizations. Experts named this malicious campaign Scylla. They believe that this is already the third wave of the hacker operation, which was first noticed in August 2019 and was called Poseidon. The second wave was named Charybdis and peaked at the end of 2020. This time, the following applications were discovered. For iOS:
- Loot the Castle – com.loot.rcastle.fight.battle (id1602634568);
- Run Bridge – com.run.bridge.race (id1584737005);
- Shinning Gun – com.shinning.gun.ios (id1588037078);
- Racing Legend 3D – com.racing.legend.like (id1589579456);
- Rope Runner – com.rope.runner.family (id1614987707);
- Wood Sculptor – com.wood.sculptor.cutter (id1603211466);
- Fire-Wall – com.fire.wall.poptit (id1540542924);
- Ninja Critical Hit – wger.ninjacriticalhit.ios (id1514055403);
- Tony Runs – com.TonyRuns.game.
For Android (apps with over 1 million downloads):
- Super Hero-Save the world! – com.asuper.man.playmilk;
- Spot 10 Differences – com.different.ten.spotgames;
- Find 5 Differences – com.find.five.subtle.differences.spot.new;
- Dinosaur Legend – com.huluwagames.dinosaur.legend.play;
- One Line Drawing – com.one.line.drawing.stroke.yuxi;
- Shoot Master – com.shooter.master.bullet.puzzle.huahong;
- Talent Trap – NEW – com.talent.trap.stop.all.
Advertising traffic in logs Experts say fraudulent apps typically used an ID that didn’t match their name to make it appear to advertisers that clicks and ad impressions were coming from a more profitable software category. The researchers also noticed that a total of 29 malicious apps imitated about 6,000 CTV apps and regularly changed identifiers to avoid detection. The application receives instructions to change the ID This adware works quite simply: in Android, ads are loaded in hidden WebView windows, so the victim does not even notice anything suspicious, since everything happens in the background. In addition, malware abuses the JobScheduler system to run ads when victims are not using their devices (for example, when the screen is off). It is noted that compared to the first Poseidon campaign, Scylla applications have changed: they now rely on additional levels of obfuscation using the Allatori Java obfuscator. This makes them difficult to detect and reverse engineer.