AA19-028A

Over 100 Android Apps Used ‘Soraka’ Package to Perform Ad Fraud

Researchers identified more than 100 apps that used a common code package named “Soraka” to perform ad fraud on users’ Android devices.

The White Ops Threat Intelligence team observed that many of the apps did not have a suspicious reputation at the time of discovery. For instance, the “Best Fortune Explorer” registered no red flags with anti-virus engines on VirusTotal when White Ops Threat Intelligence published its research. The app had already received 170,000 downloads by that time, and it was still available for download on Google’s Play Store.

Together, all of the 100+ malicious Android apps registered 4.6 million downloads.

In its analysis, the White Ops Threat Intelligence team found that the apps relied on a framework called AppsFlyer to watch for inorganic installations attributed to fraudsters’ promotional efforts. The apps displayed fraudulent ads only when where there was an inorganic installation. In those cases, the apps used their underlying Soraka code to determine what to run based upon several triggers.

According to the White Ops Threat Intelligence team, there’s a likely explanation for this use of AppsFlyer.

Specifically, the app waited for the device to be unlocked before displaying its first Out-of-Context (OOC) ad. After the user minimized the first ad by clicking the device’s home button, the app displayed another OOC ad. The third OOC ad followed after a few additional actions.

These apps used multiple Java-based persistence mechanisms, including setting the alarm, to remain on an infected device.

Android users should uninstall any of the apps detected by the White Ops Threat Intelligence team.

This news came more than a year after a federal indictment charged eight individuals with perpetrating widespread digital advertising fraud that cost businesses millions of dollars.