Researchers with White Ops have uncovered a scam to deliver millions of out-of-context (OOC) ads through a group of more than 240 Android applications on the official Google Play store, which the team said were collectively delivering more than 15 million impressions per day at their peak.
The apps have since been purged from Google Play, but users should delete them off their phones as well. The full list is available here.
The apps worked the way they were supposed to, for the most part, making them all the more effective at hiding in plain sight. Most were simple retro games like Nintendo NES emulators, and used “packer” software to bypass protections. The apps would then deliver OOC ads disguised to appear as if they were from reputable sources like Chrome and YouTube, according to the White Ops team.
“The main tool in the adware developer’s arsenal are the packers,” Gabriel Cirlig, principal threat intelligence analyst for White Ops, told Threatpost. “They cloak and allow a threat to exist under the guise of intellectual property protection. However, once they passed any antivirus [protections] a user might have, the OOC ads were able to stay undetected for a period of time by pretending to be coming from popular applications and social-media platforms, such as YouTube and Chrome. Because of this, users think the ads are coming from legitimate platforms and do not get suspicious.”
The White Ops team of researchers, including Cirling, Michael Gethers, Lisa Gansky and Dina Haines, — who named the investigation “RAINBOWMIX,” inspired by the 8-16 bit color palate running throughout the retro game apps — found that these fraudulent apps were downloaded more than 14 million times by unsuspecting users.
How RAINBOWMIX Infiltrated User Devices
The various applications’ reviews show there wasn’t a lot of attention being paid to the RAINBOWMIX group.
“Most of the RAINBOWMIX apps have a “C-shaped rating distribution curve (with primarily one- and five-star reviews, which is common with suspect apps),” the team reported.
All of the RAINBOWMIX apps were loaded with the Tencent Legu packer, they add, noting that some did give clues to their nefarious intent, if you looked hard enough.
“It is worth noting that even while packed, these apps exhibit some potentially suspicious behavior corresponding to the interstitial component of the ad SDKs, which are renamed with labels that point to well-known apps,” the researchers said.
How RAINBOWMIX Fooled the System
The team also noticed triggers for services and receivers inside the apps’ manifests which shouldn’t have been there, including upon system boot, during connection changes, when a charging chord is plugged in or out, and during app installations. The assessment is that these were used to “confuse analysts and trick static-analysis engines,” the report read.
The analysts were able to pinpoint that the trigger for OOC ads “resides in the service com.timuz.a,” adding it was present in every one of the RAINBOWMIX group of applications.
“The receiver com.google.android.gms.common.license.a is a simple wrapper that tries to keep the service com.timuz.a running and sets up the out-of-context ad loop. It is contained in all bundles in the appendix,” the report said.
The service com.timuz.a gets its orders from a command-and-control server (C2), the researchers were able to discover, despite the C2 URL being buried behind base64 coding. After that connection with the C2 is established, another service takes over (com.ironsource.sdk.handlers.a.a), and attempts to deliver an OOC ad every 10 minutes, according to the report findings.
“It is important to note that while com.ironsource.sdk.handlers.a.a is a legit SDK, ironSource is unlikely involved or aware of the abuse,” researchers said.
The C2 domain (api[.]pythonexample[.]com) meanwhile has been identified by the group as a “likely hacked website.” Research showed that the site was posted with a question on an online forum two years ago, but now it defaults to a Ngnix page.
Once the C2 connection is made, a secondary URL (hxxp://api[.]pythonexample[.]com/xyyx?pn=com.androidapk.gbaemulator) is contacted and a JSON payload downloaded. After that, researchers could see ads being played on a compromised device, with nothing from than a small icon to alert the user was getting data from another app than the one they were running.
“This is used as the C2 of the ad SDK, which determines which ad network to use as well as the interstitials frequency,” the report read. “The same C2 architecture is used across all of the RAINBOWMIX apps identified in this investigation.”
The RAINBOWMIX apps were also able to boost their ad-delivery counts by monitoring when users turned their screen on and off, the analysts also discovered. “The code responsible for detecting screen on/off events was placed inside a fake Unity class ‘com.unity.b.’,” they explained.
The Impact of RAINBOWMIX & OOC Ads
Outside of the nuisance factor for users, delivering OOC ads damages every legit advertiser out there relying on consumers to trust the messages they consume online, White Ops pointed out.
“Alongside the usual fraudulent aspect of delivering ads that don’t have the same impact as a legitimate ones with users dismissing them on the spot, they also lower brand trust by masquerading as legitimate applications that would never spam the user in such as manner as the one presented,” Cirlig said.
The team found the majority (nearly 21 percent) of traffic came from Brazil, followed closely by Indonesia and Vietnam. The U.S. represented 7.7 percent of the traffic to RAINBOWMIX OOC ads.
Keywords: Out of Context ads, OOC ads, malware, RAINBOWMIX, White Ops, Google Play, emulator, Nintendo, retro games, 8-16 bit color palate, android, google play, malicious ads, ad fraud, white ops