- Aggressive adware apps invade tens of thousands of devices
- Operators designed the apps to run unhindered in the background
- Google removed all of the fake apps from the Play Store
Security researchers from White Ops have discovered and tracked a vast ad fraud botnet that used dozens of Android apps pretending to offer users free items to keep the application installed for at least two weeks.
At the peak of its activity, the botnet, named TERRACOTTA, had more than 65,000 infected devices, spoofed more than 5,000 apps and generated about 2 billion fraudulent bid requests. Such aggressive adware is usually after one thing — to generate as many fake clicks as possible and create the impression of users actively clicking on ads.
The old saying, “If something seems too good to be true, it probably is,” encapsulates the TERRACOTTA botnet offering. Apps offered users shoes, coupons or concert tickets, and people didn’t have to pay a dime. If someone were to give out free shoes on a street corner, everyone would be immediately suspicious. Why not feel the same suspicion when the offer comes from a random Android app?
“The TERRACOTTA malware offered Android users free goods in exchange for downloading the app—including shoes, coupons, and concert tickets—which users never received,” said the researchers. “Once the app was installed and the malware activated, the malware used the device to generate non-human advertising impressions purporting to be ads shown in legitimate Android apps.”
The cybercriminals wrote the apps using the React Native cross-platform development framework, which didn’t raise any flags. On the other hand, the apps did require access to powerful permissions, WAKE_LOCK and FOREGROUND_SERVICE that would let the apps run uninterrupted and invisible in the background.
Google was quick to remove all of the TERRACOTTA apps, and its operators used the React Native framework for all of them. Interestingly, the simple removal of the software from the official store doesn’t mean it’s gone from the devices. Many of them remain active, although they can no longer generate funds for their operators.