Despite Googleâs best efforts, its Play Store problem persists. A new report has just exposed a vast network of more than 250 âevil twinâ applications on the official Android store, acting as decoys for malicious non Play Store duplicates.
HUMAN Security has dubbed this threat Konfety, and explains that âone evil twin version is distributed via malvertising and malicious downloads and performs ad fraud,â while shielded by its harmless Play Store duplicate. âAt its peak,â HUMAN says, âKonfety-related programmatic bids reached 10 billion requests per day.â
Konfety abuses the CaramelAds mobile advertising SDK, with the evil twins much more widespread than their Play Store versions. But itâs those harmless decoys that provide the fraudulent revenue stream, âby spoofing the [Play Store decoyâs] app ID and advertising publisher IDs for the purposes of requesting and rendering ads.â
While ad fraud is painful and can have a detrimental affect on an infected deviceâthink bandwidth and battery usage, this same campaign has also been caught directing users to websites with malware-laced apps, which is a different level threat.
HUMAN reports that Google Protect can now identify these evil twin apps. If youâre the kind of person with a habit of installing trivial apps from random developers, then you can check the list of know evil twins here. Clearly delete any you find.
A Google spokesperson told me that âusers have been protected against the âEvil Twinâ apps for over a year with Google Play Protect, which is on by default on Android devices with Google Play Services [and] warns users and disables apps identified to be âEvil Twinâ apps.â
According to HUMANâs Satori Threat Intelligence Team, which conducted the research, âalthough the decoy apps on the Play Store purport to be owned by different developers, they are template-based apps, many of which are owned by the Konfety threat actor group.â It was the relatively low install numbers combined with high ad traffic of the decoy apps that alerted HUMAN to the ongoing fraud.
This novel campaign provides an interesting twist on past ad fraud techniques, but yet again illustrates why itâs now so important to take care as to whatâs installed from Play Store and especially from anywhere else. My advice remains to avoid downloading any apps through links or even third-party stores.
But at the same time a scan of the list of Play Store apps shows yet again that even the most trivial apps drive installs. This threat campaign required two things to operate successfully: users to install malicious apps outside Play Store, and users to install trivial apps from within Play Store. Both risky and yet both achieved with ease.
This report follows the news earlier this month that yet another Anatsa-laced app had been found and removed from Play Store. As such, the golden rules to staying safer on Android remain as critical for users as ever:
- Stick to official app storesâdonât use third-party stores and never change your deviceâs security settings to enable an app to load
- Check the developer in the appâs descriptionâis it someone youâd like inside your life? And check the reviews, do they look legitimate or farmed? Avoid the indiscriminate installation of trivial apps you do not need.
- Do not grant permissions to an app that it should not need: torches and star-gazing apps donât need access to your contacts and phone. And never grant accessibility permissions that facilitate device control unless you have a need.
- Never ever click links in emails or messages that directly download apps or updatesâalways use app stores for installs and updates.
- Ensure Google Play Protect is enabled on your device.
#Google #Play #Store #WarningâDelete #âEvil #Twinâ #Apps,
#Google #Play #Store #WarningâDelete #âEvil #Twinâ #Apps