Google Play Store and Apple Store adware downloaded millions of times

app security
(Image credit: Shutterstock.com)

Almost a hundred apps across the Android and iOS ecosystems have been discovered engaging in advertising fraud, researchers have claimed.

The apps, 80 of which were built for Android, and nine for iOS, have more than 13 million downloads between them, and include games, screensavers, camera apps, and more - some with more than a million downloads. 

Research from cybersecurity firm HUMAN Security found that by targeting advertising software development kits (SDK), the unknown threat actors were able to compromise these apps for their own personal benefit, in multiple ways: by pretending to be apps they’re not; by rendering ads in places where users wouldn’t be able to see them; and by faking clicks and taps (keeping track of real ad interactions and faking them later).

Evolution of Poseidon

The campaign, which HUMAN dubbed Scylla, is still ongoing, meaning at least some of the apps are still up and running. “These tactics, combined with the obfuscation techniques first observed in the Charybdis operation, demonstrate the increased sophistication of the threat actors behind Scylla,” the researchers say. 

The Charybdis operation the researchers mention is an older campaign, out of which Scylla evolved. Charybdis itself evolved from an even older campaign, called Poseidon, leading the researchers to conclude that the threat actors are actively developing these apps and that new variants are bound to appear. 

HUMAN says it “worked closely” with both Google and Apple to have all of the identified malicious apps removed from the respective app repositories. 

However, that doesn’t mean the threat is completely gone - users who have downloaded these apps in the meantime are still vulnerable, and will remain so until they remove them from their endpoints. 

The company urges users to go through the entire list of apps found here and make sure they remove any apps they might have installed.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.