Almost a hundred apps across the Android (opens in new tab) and iOS ecosystems have been discovered engaging in advertising fraud, researchers have claimed.
The apps, 80 of which were built for Android, and nine for iOS, have more than 13 million downloads between them, and include games, screensavers, camera apps, and more – some with more than a million downloads.
Research (opens in new tab) from cybersecurity firm HUMAN Security found that by targeting advertising software development kits (SDK), the unknown threat actors were able to compromise these apps for their own personal benefit, in multiple ways: by pretending to be apps they’re not; by rendering ads in places where users wouldn’t be able to see them; and by faking clicks and taps (keeping track of real ad interactions and faking them later).
Evolution of Poseidon
The campaign, which HUMAN dubbed Scylla, is still ongoing, meaning at least some of the apps are still up and running. “These tactics, combined with the obfuscation techniques first observed in the Charybdis operation, demonstrate the increased sophistication of the threat actors behind Scylla,” the researchers say.
The Charybdis operation the researchers mention is an older campaign, out of which Scylla evolved. Charybdis itself evolved from an even older campaign, called Poseidon, leading the researchers to conclude that the threat actors are actively developing these apps and that new variants are bound to appear.
HUMAN says it “worked closely” with both Google and Apple to have all of the identified malicious (opens in new tab) apps removed from the respective app repositories.
However, that doesn’t mean the threat is completely gone – users who have downloaded these apps in the meantime are still vulnerable, and will remain so until they remove them from their endpoints.
The company urges users to go through the entire list of apps found here (opens in new tab) and make sure they remove any apps they might have installed.