HUMAN Discovers Konfety Ad Fraud Operation Wielding Novel ‘Evil Twin’ Evasion Method
July 16 2024 - 9:00AM
HUMAN Security, Inc., the global cybersecurity
leader in disrupting bot attacks and preventing digital fraud and
abuse, today announced it has uncovered an advanced mobile
advertising fraud campaign that uses a new “evil twin” evasion
method to operate under the radar. The operation, which HUMAN has
dubbed Konfety, operates two apps sharing the same ID. One is an
“evil twin” version that is distributed via malvertising and
malicious downloads and performs ad fraud. The other is a “decoy
twin” version available on major marketplaces, with more than
250 decoy applications available on the Google
Play Store.
HUMAN’s Satori Threat
Intelligence and Research Team has determined
that, at its peak, Konfety-related programmatic
bids reached 10 billion requests per day.
The Konfety operation implements this
"evil twin" method to conduct fraud by abusing an advertising
software development kit (SDK) from Russia-based ad network
CaramelAds. Though not inherently malicious, the SDK was exploited
by threat actors to request and render ads, sideload additional
Android Package Files (APKs), and communicate with
command-and-control (C2) servers. Decoy apps on the Play Store
purport to be owned by different developers but are mostly
template-based apps owned by the Konfety threat actor group.
The CaramelAds code offers basic
functionality to render banner ads and interstitials and a
straightforward analytics interface to measure ad performance. The
SDK can, however, be abused by developers to make it appear as
though the traffic originates from any type of device they choose,
enabling this device to navigate to malicious URLs , use hard-coded
malicious URLs, and more. The decoy apps had an average of only
10,000 downloads each, and did not generate ads, prompting HUMAN
researchers to investigate how the high volume of ad traffic was
being generated; this resulted in the team uncovering the “evil
twin” model in which the malicious twins were the ones generating
ads using the identifiers of the decoy apps.
“Konfety’s operations depict the
latest in a series of adaptations from ad fraudsters to cloak their
activities using novel tactics that enable them to evade
detection,” said Lindsay Kaye, Vice President of Threat
Intelligence at HUMAN. “The Satori team’s investigation
shows how threat actors are getting around the risk of hosting
malicious apps on app stores by finding new and innovative ways to
fly under the radar and commit long-term fraud.”
All customers partnering with HUMAN
for pre-bid mitigation and post-bid detection are safeguarded from
the impacts of Konfety. Fraud in the digital advertising supply
chain harms inventory and the entire digital ecosystem. This leaves
ad tech platforms with reduced inventory value and damaged
reputations with demand partners. HUMAN’s Ad Fraud Defense ensures
that only verified human inventory is allowed into the bidding
process—without affecting platform speed and regardless of
channel.
The HUMAN Satori team has provided
detection and signaturing insight to external partners and
developed signatures for Konfety techniques to track any additional
apps in openly available repositories. HUMAN continues to monitor
the Konfety threat, including how the threat actor adapts to
defenses and keeps those defenses updated to combat the latest TTPs
the threat actor employs.
To learn more about the Konfety
investigation, visit the HUMAN blog and read the
full technical report.
About HUMANHUMAN is a cybersecurity company
that protects organizations by disrupting bot attacks, digital
fraud and abuse. We leverage modern defense to disrupt the
economics of cybercrime by increasing the cost to cybercriminals
while simultaneously reducing the cost of collective defense. Today
we verify the humanity of more than 20 trillion digital
interactions per week across advertising, marketing, e-commerce,
government, education and enterprise security, putting us in a
position to win against cybercriminals. Protect your digital
business with HUMAN. To Know Who’s Real, visit
www.humansecurity.com.
Contact information:Masha Krylova, Director of
Communicationsmasha.krylova@humansecurity.com
A photo accompanying this announcement is available at
https://www.globenewswire.com/NewsRoom/AttachmentNg/eb7ced93-a635-4a3e-a42d-5aa8063837d8