Researchers spotted 15 wallpaper apps in the Google Play Store running an ad fraud scheme. The identified apps were found to be downloaded from the Play Store more than 222,200 times at the time of writing. The research also found Italy, Taiwan, the United States, Germany, and Indonesia with the most infections recorded. However, Google has confirmed the removal of all identified wallpaper apps from the Google Play Store.
Modus Operandi
Researchers from Trend Micro reported that almost 15 android wallpaper applications were detected to be committing ad fraud scheme. The identified applications were designed with attractive icons that promise beautiful mobile wallpapers. The apps also have high user reviews and good comments. Researchers suspect that these reviews are fake and meant to project credibility to users.
“The cybercriminals profit through the parameters’ value replacement. IDs provided by Google for Android developers such as the advertising ID, advertiser ID, and device ID are anonymous identifiers specific to users to monetize their apps. The app replaces ANDROID_ID, BUNDLE_ID, IP, USER_AGENT with the ad ID, the app’s package name, current IP, and the user agent of the current browser,” Trend Micro said.
These are all in the fallback_URL from the configuration file, creating a fraudulent fallback_URL for fake clicks. For instance, the original would be:
http[:]//pub[.]mobday[.]com/api/ads_api[.]php?ver=1.2&pubid=1022&adspace=1007&advid={ANDROID_ID}&bundle={BUNDLE_ID}&ip={IP}&ua={USER_AGENT}&cb=5c1236f316e45
This will be replaced with:
http[:]//pub[.]mobday[.]com/api/ads_api[.]php?ver=1.2&pubid=1022&adspace=1007&advid=260903559217b3a8&bundle=com[.]amz[.]wildcats&ip= 203[.]90[.]248[.]163&ua=Mozilla/5.0 (Linux; Android 6.0.1; MuMu Build/V417IR; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/52.0.2743.100 Mobile Safari/537.36&cb=5c1236f316e45
Researchers advise that mobile users should be vigilant and cautious of the applications they download, as cybercriminals will continue manipulating app features to steal information and attack. Mobile devices have to be protected with a comprehensive security structure and program against mobile malware.
Publisher