They are part of a large-scale malvertising campaign. 75 apps find their way into the Play Store. 10 more apps make it into the Play Store.
Researchers from Human Security have discovered 85 malicious apps in the official marketplaces of Google and Apple. Cybercriminals apparently reached around 13 million smartphones and tablets running Android and iOS with the malvertising campaign known as Scylla.
In the meantime, the questionable apps have been removed from the Play Store and the App Store by Google and Apple, respectivelyIn the Play Store, the researchers found 75 apps that generated fraudulent advertising revenue for their backers with visible and non-visible unwanted ads. Unlike previous campaigns, the Scylla campaign also allowed cybercriminals to inject malicious apps into Apple’s App Store
According to the Human Security report, the fraudulent apps pose as other, well-known apps in order to generate advertising revenue. In addition, the apps are said to be able to generate ads that are not visible to users. As another source of revenue, the apps are said to use fake clicks on ads. To optimize this technique, the apps are able to capture real clicks on ads to mimic them later.
Furthermore, researchers believe that Scylla is already the third malvertising campaign of this hacking group. Human Security first encountered the cybercriminals in 2019.
“This modus operandi, combined with the obfuscation techniques first observed in the Charybdis operation, indicates that the threat actors behind Scylla are becoming increasingly sophisticated,” Human Security’s analysis states. “This is an ongoing attack, and users should review the list of apps in the report and consider removing them from all devices.”
Now that Google has deemed the apps to be malicious, users of Android devices should be protected by the Play Protect security feature. Owners of iOS devices, meanwhile, will have to remove the malicious apps in question themselves. A complete list of all apps in the Scylla campaign can be found in Human Security’s investigation report.