Cybersecurity company Human has uncovered another adware campaign engaging in ad fraud that is targeting iOS and Android devices. In the simplest terms, ad fraud allows a bad actor to either visibly spam an app with ads, or to manipulate the code in such a way that the ads are invisible to the user while the bad actor extracts advertising money from a marketer.
In each iteration, it’s fraudulent. Ad fraud has been widespread in the industry for a while, and the latest investigation uncovered a cache of over 75 Android apps listed in the Google Play Store and nearly a dozen apps on Apple’s App Store that are engaged in various forms of ad fraud.
The bad apps have been collectively downloaded over 13 million times across Google and Apple’s app ecosystems. After being notified by Human, Google and Apple have since expunged the apps from their respective app repositories.
This is the third wave of the same attack, which was first reported in 2019 and was labeled Poseidon. The second wave that raised its head in 2020 was christened Charybdis, while the ongoing attack wave has been bestowed the name Scylla. Over time, the targeting campaign gained the ability to obfuscate the malicious code and SDK-targeting capability.
By the time the Scylla adware campaign raised its head, it could pass itself off as a legitimate game, tricking advertisers into spending more money. The fraud uses hidden ads that are not visible to the users, or just out-of-context apps that randomly pop up on the screen. Gaming the ad view metrics was also observed as a means to register ad clicks and make money.
What’s the safe road ahead?
The most reasonable course of action is to delete the problematic apps, assuming they are already installed on your phone. You can check the entire list of adware-ridden applications on Human’s website. An effective precautionary step is to always install apps from reliable developers and publishers.
Another option is to upgrade to an app’s premium version if the free tier is showing too many shady ads that enable click-through to an even more malicious webpage. App developers don’t always have overreaching control over the ads appearing on their apps.
We live in an era of continuous web tracking, and targeted ads that are modeled after behavioral patterns are the most invasive. Since advertising companies often rely on breadcrumbs of our online activities, you should clear your browser history, cache, and cookies from time to time.
You can also try specialized adware removal apps, just to be on the safe side. NordVPN offers a fairly robust ad-blocking system. Other reliable options are Adware Cleaner by Pocket Bits, Norton Ad Blocker, TotalAV, and Malwarebytes.
Adware is not a new phenomenon, especially on the Android side of the ecosystem. But despite Apple’s claims of a safe app ecosystem, iPhones aren’t really impervious. Security firm Wandera spotted 17 apps on the App Store in 2019 that were running invisible ads and clocking ghost clicks to generate ad revenue.
In 2018, a Cisco Talos researcher uncovered a highly targeted attack that only affected 13 iPhones in India by weaponizing the MDM server. One of the suspicious outcomes of the attack was random ads appearing on the infected devices. But the malware ecosystem is an ever-evolving landscape. Just over a month ago, the experts at Germany’s Technical University of Darmstadt cooked up a lethal malware that is delivered via Bluetooth and can even infect an iPhone when it’s powered off.