EXECUTIVE SUMMARY:

Cyber security researchers have discovered and disrupted a mobile ad fraud campaign involving nearly 100 applications across the Google Play Store and the Apple App Store. Collectively, the applications have a total download count of 13 million. The campaign is an adaptation of a fraud operation that was initially identified in 2019.

What happened

Adware and other malware occasionally do slip past Google’s defenses and end up on the Play Store. However, this time, the malicious apps also managed to bypass Apple’s more rigorous security checks, landing on the App Store.

In addition to flooding mobile users with advertisements, both overt and covert, the fraudulent applications generate revenue by impersonating legitimate apps and impressions.

In the past, adware campaigns have resulted in gains upwards of $1.5 million for cyber criminals. While these apps do not represent a severe threat to device owners, criminal operators can use them to conduct further malicious activities.

Ad fraud apps

Google and Apple have received information about the researchers’ findings and have since removed certain apps from Android and iOS stores. On Android devices, the apps should be detected automatically, unless the Play Protect security option is disabled. For iOS, Apple has not provided specific instructions about how to remove adware apps that already exist on a device.

Ad fraud campaign

According to cyber security researchers, the new adware apps are part of a fraud campaign known as “Scylla.” These apps may represent the tip-of-the-iceberg within the third wave of a larger operation that was identified in 2019, named “Poseidon”. (Greek history buff? The second wave of malicious apps within this campaign were dubbed “Charybdis.”)

Avoiding adware

Adware can have a large range of capabilities. In some cases, it can elevate privileges to root, establish persistence and inject code. In other words, it can function as a portal through which more harmful malware can enter a device or as a starting point for other types of complex security disruptions.

Actionable steps

Exercise caution when downloading any new app, even if it has high-ratings and stellar reviews.

• When exploring reviews, search for video reviews, as they will allow you to see the app in-action before installing it on your device
• Configure your web browser so that it blocks all pop-ups
• Beware of phishing links that can surface via text message or email
  • If uncertain as to the legitimacy of a link, use a URL checker, like Google’s Transparency Report
• Consider installing antivirus on devices
• Consider investing in identity theft protection tools for your device
• Remove any applications that you do not specifically remember installing

Signs of adware

Wondering if you have adware on your desktop, laptop or phone? Look for the following indicators:

• Numerous pop-ups
• Rapid battery drainage
• Increased internet data usage
• Apps take longer than average to load
• Device crashing
• Redirected internet searches
• Web pages not displaying correctly

In the event that your device or system appears to have adware, take steps to remediate.

Android adware removal

1. Reboot your phone in ‘safe mode’, which disables third-party apps

2. Open ‘Settings’

3. Tap ‘Apps’

4. Uninstall suspicious apps, faulty apps, or apps that you do not remember installing

Ensure that ‘Play Protect’ is enabled, which periodically scans every app available on the Google Play Store in order to keep devices safe.

iOS adware removal

1. Open ‘Settings’

2. Tap ‘Clear History and Website Data’

3. Tap ‘Clear History and Data’

This should remove any malware that your device may have picked up via malicious links or infected websites.

For more information about adware campaigns, please see CyberTalk.org’s past coverage. Also, be sure to see these 10 eye-opening mobile malware statistics.

Lastly, to receive cutting-edge cyber security news, interviews, expert analyses and leading security resources, please sign up for the CyberTalk.org newsletter.