Investigators have identified a litany of fraudulent Android apps in circulation, with millions of crowd-loaded downloads, many of which play on gaming-related themes. According to security firm White Ops, a selection of more than 240 Android apps have engaged in deceptive behavior using out-of-context (OOC) ads, designed to mimic those that might be served by popular platforms like YouTube. . Often these cool apps have taken the form of Nintendo Entertainment System (NES) emulators, allowing nostalgic Android users to play retro video games from the late 80s, such as Super Mario Bros. The researchers responsible for their discovery called RAINBOWMIX to the elaborate campaign, referencing the vibrant color palette of NES-era games. At the height of the operation in May, the rogue apps were generating more than 15 million ad impressions per day for their operators.
Fraudulent Android Apps
What makes the RAINBOWMIX operation unusual, according to White Ops, is the effort that has gone into ensuring that apps work at least partially as advertised (increasing the likelihood that a user will return) and the ease with which so many of them ended up in the Google Play Store. To circumvent the various security protocols that protect against rogueware, applications have used a relatively unsophisticated technique involving packagers, described as "software hiding a trailing payload." “The code responsible for out-of-context ads is found in packages owned by legitimate SDKs, such as Unity and Android. All of the discovered apps appear to have fairly low detection rates in antivirus engines, largely due to the packer,” White Ops explained. The hackers also used code that is useless to the applications themselves, but is known to the Android operating system, to "confuse analysts and fool static analysis engines." While all software associated with RAINBOWMIX has now been removed from the Google Play Store, the apps have been downloaded more than 14 million times combined and are likely to remain on a significant proportion of these devices. The offending apps are said to monitor when users turn their screens on and off to optimize ad serving, but TechRadar Pro has requested further clarification on the threat to end users, and will update this article accordingly. A full list of affected apps has been posted on the White Ops blog here.