In an extensive campaign that unfolded across the globe, SlopAds, a massive ad fraud operation, infiltrated the Android ecosystem, amassing an impressive 38 million downloads. The scheme, meticulously orchestrated across 228 countries and territories, has sparked concerns around the security of mobile advertising frameworks. According to the meticulous findings of HUMAN's Satori Threat Intelligence and Research Team, this fraudulent network utilized a cunning blend of technology, including the manipulation of ad impressions via hidden WebViews and the stealthy integration of steganography.
Complex Ad Fraud Techniques
The operation illustrates the daunting evolution of mobile ad fraud tactics. At the core, SlopAds leveraged several AI-themed services, such as StableDiffusion, AIGuide, and ChatGLM, hosted on a central command-and-control (C2) server. These applications, designed to appear innocuous, were stealthily equipped to discern their installation origins. If determined to have been installed following an ad click, these apps would download FatModule, a sophisticated ad fraud module engineered to exploit cloaked WebViews, subsequently generating substantial fraudulent ad impressions and clicks.
The deception runs deep as the fraud is uniquely triggered only under the guise of legitimate installations—such as being downloaded directly—effectively blending illicit activities with genuine campaign data. Such sophistication infuriates detection efforts, as legitimate user engagement obscures the nefarious functions.
Unveiling the Infrastructure
SlopAds' infrastructure was rich in complexity, using both innovations and improvisation to perpetuate its fraudulent practices. The delivery mechanisms utilized four PNG image files to transport the concealed APK, which upon assembly, harvested device and browser information. This approach illustrates the calculated breadth of the operation, facilitating transactions through imperceptible means.
The threat actors further fortified the operation by directing fraudulent traffic to HTML5 game and news websites they owned, capitalizing on hidden WebViews to covertly rack up ad impressions at scale. Prominently, about 300 domains have been associated with promoting SlopAds applications, intricately linked through a Tier-2 C2 server identified as ad2.cc.
Global Impact and Industry Response
During its peak, SlopAds churned out a staggering 2.3 billion bid requests daily, with a majority of fraudulent traffic emanating from the United States (30%), followed by India (10%) and Brazil (7%). In light of these findings, Google swiftly extricated the offending applications from its Play Store, a move aimed to stymie the proliferating threat.
The SlopAds investigation not only emphasizes the potency of conditional fraud execution but also the alarming capacity for rapid proliferation. Experts like Gavin Reid, CISO at HUMAN, reiterate the need for a bolstered, collective stance against such high-caliber, stealthy cyber threats that continue to redefine the boundaries of mobile ad fraud.
