​Wallpaper Apps in Google Play Store spotted running Ad Fraud Scheme

• 15 Android wallpaper applications in the Google Play Store were spotted running click ad fraud scheme.
• Google has confirmed removal of all identified wallpaper apps from the Google Play Store.

Researchers spotted 15 wallpaper apps in the Google Play Store running an ad fraud scheme. The identified apps were found to be downloaded from the Play Store more than 222,200 times at the time of writing. The research also found Italy, Taiwan, the United States, Germany, and Indonesia with the most infections recorded. However, Google has confirmed the removal of all identified wallpaper apps from the Google Play Store.

Modus Operandi

Researchers from Trend Micro reported that almost 15 android wallpaper applications were detected to be committing ad fraud scheme. The identified applications were designed with attractive icons that promise beautiful mobile wallpapers. The apps also have high user reviews and good comments. Researchers suspect that these reviews are fake and meant to project credibility to users.

• Once the applications are downloaded and installed, the apps will then decode the C&C server address for the configuration.
• The entire process is muted to hide the activity from the user.
• An HTTP GET request is communicated to the C&C server for a JSON-formatted list once the app is launched.
• When the feed runs, each initialized feed and an object includes a fallback_URL, type, UA, URL, referer, x_requested_with, and keywords.
• The apps will then get the advertising ID from the Google Play Services.
• After obtaining the advertising ID, the apps will then replace some parameters in the URL, ANDROID_ID with the advertising ID, BUNDLE_ID with the fraudulent app’s package name, and the IP with the infected device’s current IP, and more.
• After replacement, the URL is loaded according to the type. While loading the URL, the browser background will be set to transparent. After the URL loads, the apps begin to simulate clicks on the ad page.

“The cybercriminals profit through the parameters’ value replacement. IDs provided by Google for Android developers such as the advertising ID, advertiser ID, and device ID are anonymous identifiers specific to users to monetize their apps. The app replaces ANDROID_ID, BUNDLE_ID, IP, USER_AGENT with the ad ID, the app’s package name, current IP, and the user agent of the current browser,” Trend Micro said.

These are all in the fallback_URL from the configuration file, creating a fraudulent fallback_URL for fake clicks. For instance, the original would be:

http[:]//pub[.]mobday[.]com/api/ads_api[.]php?ver=1.2&pubid=1022&adspace=1007&advid={ANDROID_ID}&bundle={BUNDLE_ID}&ip={IP}&ua={USER_AGENT}&cb=5c1236f316e45

This will be replaced with:

http[:]//pub[.]mobday[.]com/api/ads_api[.]php?ver=1.2&pubid=1022&adspace=1007&advid=260903559217b3a8&bundle=com[.]amz[.]wildcats&ip= 203[.]90[.]248[.]163&ua=Mozilla/5.0 (Linux; Android 6.0.1; MuMu Build/V417IR; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.100 Mobile Safari/537.36&cb=5c1236f316e45

Researchers advise that mobile users should be vigilant and cautious of the applications they download, as cybercriminals will continue manipulating app features to steal information and attack. Mobile devices have to be protected with a comprehensive security structure and program against mobile malware.