Girl flags massive iOS ad scam campaign targeting kids

Posted:
in General Discussion
A tip from a child helped security researchers discover an aggressive scam and adware campaign on both iOS and Android that was being promoted on TikTok and Instagram.

Credit: Benjamin Sow
Credit: Benjamin Sow


Researchers from Avast Security discovered the malicious apps when a girl found a TikTok profile that appeared to be promoting an abusive app and reported it. The apps had been downloaded a combined 2.4 million times on the App Store and Google Play.

The apps posed as platforms for entertainment, music downloads, or wallpapers. They served intrusive ads, even when they weren't open in the foreground. And according to the report from Avast, they also used sly tactics to prevent users from uninstalling them.

Avast classified the apps as HiddenAds trojans. The trojan "that disguises itself as a safe and useful application but instead serves intrusive ads outside of the app, and hides the original app icon making it difficult for users to identify where the ads are being served from." Some of them also charged high prices for a download, between $5 to $10.

Many of the fraudulent apps were being promoted by a handful of TikTok and Instagram users, one of which had more than 300,000 followers. According to data from analytics firm SensorTower, the campaign netted more than $500,000 for the person or people behind the scam.

"We thank the young girl who reported the TikTok profile to us, her awareness and responsible action is the kind of commitment we should all show to make the cyberworld a safer place," said Avast threat analyst Jakub Vavra.

The apps violated both App Store and Google Play terms of service by serving ads outside of the app, hiding their app icons, and making false app functionality claims. Avast has reported the apps to Apple and Google, and the social media profiles to Instagram and TikTok.

"It is particularly concerning that the apps are being promoted on social media platforms popular among younger kids, who may not recognize some of the red flags surrounding the apps and therefore may fall for them," Vavra said.

Google has reportedly removed the apps from the Google Play Store. But as of the writing of this article, many of the fraudulent iOS apps are still available on the App Store.

Comments

  • Reply 1 of 19
    How does “serving ads outside of the app” work? I don’t think I have seen that happening myself so I’m having a little trouble wrapping my head around it. Wouldn’t an app only be able to display an ad in the app?
    razorpitwatto_cobra
  • Reply 2 of 19
    sflocalsflocal Posts: 5,529member
    I personally feel that Apple is not taking the security of its users seriously in action, compared to what it’s marketing department says.

    Apple needs to start a very public campaign of cleaning out the App Store of these sketchy apps, and not limit itself to revoking the developer accounts of these apps, but also banning the actual developers themselves from ever being allowed back into developing apps for the App Store.  That’s a hard - if not impossible task, but come on Apple.  Last thing Apple needs is damaged trust.

    Without consequences, they will continue doing it.  There is just so much garbage out there.
    razorpitronncornchipDogpersonpscooter63pulseimagesolsviclauyycmuthuk_vanalingamwatto_cobra
  • Reply 3 of 19
    sflocal said:
    I personally feel that Apple is not taking the security of its users seriously in action, compared to what it’s marketing department says.

    Apple needs to start a very public campaign of cleaning out the App Store of these sketchy apps, and not limit itself to revoking the developer accounts of these apps, but also banning the actual developers themselves from ever being allowed back into developing apps for the App Store.  That’s a hard - if not impossible task, but come on Apple.  Last thing Apple needs is damaged trust.

    Without consequences, they will continue doing it.  There is just so much garbage out there.
    You say hard to impossible, I totally agree. Maybe they are doing that sort of thing and just not touting it.

    As to the “hard to impossible” side of it, consider this: I have 1 game on my phone that I play a couple times a day. It has a “league” where it’s possible to complete with other players but do it requires signing in using a Facebook or Google account, neither of which I have. The latest update for the game came out yesterday and there is still no way to use “Sign In with Apple”, which I thought was supposed to be a requirement by now. Clearly, Apple has not caught that in this app, or I don’t fully understand what the requirements around SIwA are. But if they haven’t caught that, which seems relatively easy on the surface, then it must be much, much harder to catch the sort of app that this article references. 
    cornchipviclauyycjony0watto_cobra
  • Reply 4 of 19
    razorpitrazorpit Posts: 1,796member
    How does an installer hide the app icon? I think that's one of the more scary things to come out of this article.
    cornchipjony0watto_cobra
  • Reply 5 of 19
    This girl deserves a scholarship for her good work.
    macseekercornchipDogpersonpscooter63pulseimagesviclauyycmuthuk_vanalingamjony0watto_cobra
  • Reply 6 of 19
    Rayz2016Rayz2016 Posts: 6,704member
    How does “serving ads outside of the app” work? I don’t think I have seen that happening myself so I’m having a little trouble wrapping my head around it. Wouldn’t an app only be able to display an ad in the app?
    razorpit said:
    How does an installer hide the app icon? I think that's one of the more scary things to come out of this article.

    Good questions; the problem is that the writer left out a few details from the original Avast report, the most important part being exactly what platforms were affected by which malware.

    From the article:

    The apps violated both App Store and Google Play terms of service by serving ads outside of the app, hiding their app icons, and making false app functionality claims. Avast has reported the apps to Apple and Google, and the social media profiles to Instagram and TikTok.

    However, if you read the Avast report, it makes the following very clear:

    • The apps that were serving ads outside the apps and allowing the icons to be hidden were running on the Android platform. (Quel supris)
    • The iOS apps were basically charging idiots for crap apps, wallpapers and effects that just involved making the phone vibrate. They're junk, but they're not actually malware. iOS apps are sandboxed to hell; if an app is serving ads outside of the app then it's a bug in the operating system. The real problem is that the App Store is full of junk.

    There is still a serious problem with Apple customers being ripped off by apps like this. Apple needs to tighten up its reviews on any app that is offering in-app purchases. These scammers know that Apple will not actually make a purchase during the reviews, which is why they've hung around so long.

    Apple also needs to actually read the app reviews on its own store; they'll be the first clue to a problem. If you're getting hundreds of 1-star reviews for any app or game, then you should at least take a look.

    edited September 2020 cornchiprandominternetpersonpscooter63GG1viclauyycjony0appleinsideruserwatto_cobra
  • Reply 7 of 19
    Rayz2016Rayz2016 Posts: 6,704member

    sflocal said:
    I personally feel that Apple is not taking the security of its users seriously in action, compared to what it’s marketing department says.

    Apple needs to start a very public campaign of cleaning out the App Store of these sketchy apps, and not limit itself to revoking the developer accounts of these apps, but also banning the actual developers themselves from ever being allowed back into developing apps for the App Store.  That’s a hard - if not impossible task, but come on Apple.  Last thing Apple needs is damaged trust.

    Without consequences, they will continue doing it.  There is just so much garbage out there.

    Agreed.

    Apple should declare a clean-up month twice a year. 
    pulseimagesolswatto_cobra
  • Reply 8 of 19
    Rayz2016Rayz2016 Posts: 6,704member
    One other small point, before GoogleGuy pops an artery.

    Are the android apps really serving ads outside of the app?

    I'm not sure. If the app icon is hidden, then it could be that the app is running in background without a window, but the ad is still inside the app on some sort of timed thread. Not sure; someone who actually programs Android will probably have the answer; I wouldn't touch it to find out.
    cornchippscooter63jony0watto_cobra
  • Reply 9 of 19
    BeatsBeats Posts: 2,111member
    razorpit said:
    How does an installer hide the app icon? I think that's one of the more scary things to come out of this article.

    Like another user posted this is crappy Androids "free and open" system. It would be near impossible to do this on Apple devices.

    Rayz2016 said:
    One other small point, before GoogleGuy pops an artery.

    Are the android apps really serving ads outside of the app?

    I'm not sure. If the app icon is hidden, then it could be that the app is running in background without a window, but the ad is still inside the app on some sort of timed thread. Not sure; someone who actually programs Android will probably have the answer; I wouldn't touch it to find out.

    My mom had a crappy knockoff iPhone that couldn't even design the charger without stealing Apple's design, it would get pop-up ads on the homescreen and the lockscreen. It drove her crazy and it was annoying helping her with her phone when a FULL SCREEN ad would pop up every minute.
    viclauyycjony0watto_cobra
  • Reply 10 of 19
    Rayz2016Rayz2016 Posts: 6,704member
    Beats said:
    razorpit said:
    How does an installer hide the app icon? I think that's one of the more scary things to come out of this article.

    Like another user posted this is crappy Androids "free and open" system. It would be near impossible to do this on Apple devices.

    Rayz2016 said:
    One other small point, before GoogleGuy pops an artery.

    Are the android apps really serving ads outside of the app?

    I'm not sure. If the app icon is hidden, then it could be that the app is running in background without a window, but the ad is still inside the app on some sort of timed thread. Not sure; someone who actually programs Android will probably have the answer; I wouldn't touch it to find out.

    My mom had a crappy knockoff iPhone that couldn't even design the charger without stealing Apple's design, it would get pop-up ads on the homescreen and the lockscreen. It drove her crazy and it was annoying helping her with her phone when a FULL SCREEN ad would pop up every minute.
    Well, there’s the other thing. Apple doesn’t allow carriers to fill up the phone with junk before handing it over to a customer. 
    Beatsolsjony0watto_cobra
  • Reply 11 of 19
    What an incredibly uninformative article.
    • Where's the link to the Avast report?
    • What's the name of the girl?
    • What are the names of the apps in both the Google Play and iOS App Store?
    What's the point of this article?  If it's to warn readers of apps to avoid, it doesn't tell what apps to avoid.  If it's to recognize the girl's accomplishment, then why keep her anonymous?
    olsviclauyycjony0watto_cobra
  • Reply 12 of 19
    BeatsBeats Posts: 2,111member
    Little girl reports ad scam campaign.

    Zuckergerg whines and complains she's being anti-competitive.
    viclauyycjony0command_fwatto_cobra
  • Reply 13 of 19
    BeatsBeats Posts: 2,111member
    Rayz2016 said:
    Beats said:
    razorpit said:
    How does an installer hide the app icon? I think that's one of the more scary things to come out of this article.

    Like another user posted this is crappy Androids "free and open" system. It would be near impossible to do this on Apple devices.

    Rayz2016 said:
    One other small point, before GoogleGuy pops an artery.

    Are the android apps really serving ads outside of the app?

    I'm not sure. If the app icon is hidden, then it could be that the app is running in background without a window, but the ad is still inside the app on some sort of timed thread. Not sure; someone who actually programs Android will probably have the answer; I wouldn't touch it to find out.

    My mom had a crappy knockoff iPhone that couldn't even design the charger without stealing Apple's design, it would get pop-up ads on the homescreen and the lockscreen. It drove her crazy and it was annoying helping her with her phone when a FULL SCREEN ad would pop up every minute.
    Well, there’s the other thing. Apple doesn’t allow carriers to fill up the phone with junk before handing it over to a customer. 

    And manufacturers, you forgot the manufacturers.
    watto_cobra
  • Reply 14 of 19
    DAalsethDAalseth Posts: 1,501member
    e60 said:
    What an incredibly uninformative article.
    • Where's the link to the Avast report?
    • What's the name of the girl?
    • What are the names of the apps in both the Google Play and iOS App Store?
    What's the point of this article?  If it's to warn readers of apps to avoid, it doesn't tell what apps to avoid.  If it's to recognize the girl's accomplishment, then why keep her anonymous?
    A link to the report would be good as would the name of the app(s).

    Doxing the girl, a minor, who reported the app would be unbelievably unethical. That is something you just don't do and AI would never even consider it even if the information was available. 
    Just no.
    muthuk_vanalingamjony0watto_cobraCluntBaby92
  • Reply 15 of 19
    gatorguygatorguy Posts: 22,828member
    Rayz2016 said:
    How does “serving ads outside of the app” work? I don’t think I have seen that happening myself so I’m having a little trouble wrapping my head around it. Wouldn’t an app only be able to display an ad in the app?
    razorpit said:
    How does an installer hide the app icon? I think that's one of the more scary things to come out of this article.

    Good questions; the problem is that the writer left out a few details from the original Avast report, the most important part being exactly what platforms were affected by which malware.

    From the article:

    The apps violated both App Store and Google Play terms of service by serving ads outside of the app, hiding their app icons, and making false app functionality claims. Avast has reported the apps to Apple and Google, and the social media profiles to Instagram and TikTok.

    However, if you read the Avast report, it makes the following very clear:

    • The apps that were serving ads outside the apps and allowing the icons to be hidden were running on the Android platform. (Quel supris)
    • The iOS apps were basically charging idiots for crap apps, wallpapers and effects that just involved making the phone vibrate. They're junk, but they're not actually malware. iOS apps are sandboxed to hell; if an app is serving ads outside of the app then it's a bug in the operating system. The real problem is that the App Store is full of junk.

    There is still a serious problem with Apple customers being ripped off by apps like this. Apple needs to tighten up its reviews on any app that is offering in-app purchases. These scammers know that Apple will not actually make a purchase during the reviews, which is why they've hung around so long.

    Apple also needs to actually read the app reviews on its own store; they'll be the first clue to a problem. If you're getting hundreds of 1-star reviews for any app or game, then you should at least take a look.

    iOS is not immune to adware apps as we all know, even if running outside of the app may be blocked. 
    https://snyk.io/blog/sourmint-malicious-code-ad-fraud-and-data-leak-in-ios/
    "...Malicious code was uncovered in the iOS versions of the SDK from the Chinese mobile ad platform provider, Mintegral dating back to July 2019. The code can spy on user activity by logging URL-based requests made through the app. This activity is logged to a third-party server and could potentially include personally identifiable information (PII) and other sensitive information. Furthermore, the SDK fraudulently reports user clicks on ads, stealing potential revenue from competing ad networks and, in some cases, the developer/publisher of the application."

    "...there is a particular routine that attempts to determine if the phone was rooted and if any type of debugger or proxy tools are in use. If it finds evidence that it is being watched, the SDK modifies its behavior in an apparent attempt to mask its malicious behaviors. This may also help the SDK pass through Apple’s app review process without being detected."
    edited September 2020 jony0
  • Reply 16 of 19
    macguimacgui Posts: 1,990member
    DAalseth said:
    A link to the report would be good as would the name of the app(s).

    Doxing the girl, a minor, who reported the app would be unbelievably unethical. That is something you just don't do and AI would never even consider it even if the information was available. 
    Just no.
    A link would be appreciated both for a more thorough read (although what I saw was highly editorialized rather than objective) and to see if AVAST named the apps as well.

    Absolutely correct on the doxing. Only an idiot would want a minor's name published under the circumstances. There is no crime in keeping her anonymous and no actual benefit to making her name known.
    edited September 2020 watto_cobra
  • Reply 17 of 19
    gatorguy said:
    Rayz2016 said:
    How does “serving ads outside of the app” work? I don’t think I have seen that happening myself so I’m having a little trouble wrapping my head around it. Wouldn’t an app only be able to display an ad in the app?
    razorpit said:
    How does an installer hide the app icon? I think that's one of the more scary things to come out of this article.

    Good questions; the problem is that the writer left out a few details from the original Avast report, the most important part being exactly what platforms were affected by which malware.

    From the article:

    The apps violated both App Store and Google Play terms of service by serving ads outside of the app, hiding their app icons, and making false app functionality claims. Avast has reported the apps to Apple and Google, and the social media profiles to Instagram and TikTok.

    However, if you read the Avast report, it makes the following very clear:

    • The apps that were serving ads outside the apps and allowing the icons to be hidden were running on the Android platform. (Quel supris)
    • The iOS apps were basically charging idiots for crap apps, wallpapers and effects that just involved making the phone vibrate. They're junk, but they're not actually malware. iOS apps are sandboxed to hell; if an app is serving ads outside of the app then it's a bug in the operating system. The real problem is that the App Store is full of junk.

    There is still a serious problem with Apple customers being ripped off by apps like this. Apple needs to tighten up its reviews on any app that is offering in-app purchases. These scammers know that Apple will not actually make a purchase during the reviews, which is why they've hung around so long.

    Apple also needs to actually read the app reviews on its own store; they'll be the first clue to a problem. If you're getting hundreds of 1-star reviews for any app or game, then you should at least take a look.

    iOS is not immune to adware apps as we all know, even if running outside of the app may be blocked. 
    https://snyk.io/blog/sourmint-malicious-code-ad-fraud-and-data-leak-in-ios/
    "...Malicious code was uncovered in the iOS versions of the SDK from the Chinese mobile ad platform provider, Mintegral dating back to July 2019. The code can spy on user activity by logging URL-based requests made through the app. This activity is logged to a third-party server and could potentially include personally identifiable information (PII) and other sensitive information. Furthermore, the SDK fraudulently reports user clicks on ads, stealing potential revenue from competing ad networks and, in some cases, the developer/publisher of the application."

    "...there is a particular routine that attempts to determine if the phone was rooted and if any type of debugger or proxy tools are in use. If it finds evidence that it is being watched, the SDK modifies its behavior in an apparent attempt to mask its malicious behaviors. This may also help the SDK pass through Apple’s app review process without being detected."

    Even compared to your usual levels of Google cheerleading, this is really a bit desperate.

    I did not say that iOS was immune to malware (in fact, no one in this thread has made such a claim). What I said was that the article implied that the iOS sandboxing mechanism was allowing ads to be served outside of applications. But if you look at the actual Avast report, this is not the case. The difference is important: if these ads were being served outside of a running application, then Apple has a serious bug that needs immediate attention, not because of some benign ads, but because what else could be coded up to exploit it.

    As it turned out, only the Android platform was (apparently) allowing ads to be served outside of applications, and also allowing apps to be installed with hidden icons. This seems to have triggered your default response: race off and post the first article you can that you hope will distract folk from a potential flaw in Android by pointing the finger at iOS. And as expected the article you pointed at has nothing to do with the problem under discussion (which is actually the quality of the AI article more than anything else). 

    Your first line was the real giveaway:

    iOS is not immune to adware apps as we all know, even if running outside of the app may be blocked. 
    Funny that we all know it, but just to keep Google out of the frame, you thought you'd just repeat it. An adware app is an app, so your post is already meaningless. The only way they can block this is by being a lot more thorough and stringent in their review.  And even while I have often called for this, I know how difficult it would be without combing through thousands of lines of source code in millions of apps, line by line. Likewise they cannot check the thousands of third-party SDKs that app developers will use.

    In much the same way that Android phone makers cheat in hardware reviews by detecting when the phone is running a benchmark, app developers can hide adware functionality by only triggering it after a certain amount of time has elapsed for example.

    Still, Apple has done a very good job of keeping the platform reasonably safe, and they've done this because their user base is the most obnoxious, critical, rude, demanding customer demographic on the planet (I should know; I'm one of them). I mean, look at all the whining over a watch strap! Just … just get a strap that doesn't require you to measure your wrist!

    On the other hand, Android phones have crapware installed before they arrive and the various stores are rife with dangerous data-thieving applications (other than Google's own applications obviously). And why is this? Simple. Android's user base is more obsessed with convincing itself that the platform is better than Apple, rather than focussing on Android itself. Apple users only care about making the Apple making the Apple platform better and to do that we sometimes have to be obnoxious, critical, rude and demanding.

    Something you might want to think about before posting your next irrelevant deflection.
    watto_cobra
  • Reply 18 of 19
    DAalseth said:
    e60 said:
    What an incredibly uninformative article.
    • Where's the link to the Avast report?
    • What's the name of the girl?
    • What are the names of the apps in both the Google Play and iOS App Store?
    What's the point of this article?  If it's to warn readers of apps to avoid, it doesn't tell what apps to avoid.  If it's to recognize the girl's accomplishment, then why keep her anonymous?
    A link to the report would be good as would the name of the app(s).

    Doxing the girl, a minor, who reported the app would be unbelievably unethical. That is something you just don't do and AI would never even consider it even if the information was available. 
    Just no.
    Agree completely: the girl shouldn't be named.

    However, there is a link to the Avast article; it's just poorly done.

    The apps posed as platforms for entertainment, music downloads, or wallpapers. They served intrusive ads, even when they weren't open in the foreground. And according to the report  <---- (I'm here!! Help! I'm here!!) from Avast, they also used sly tactics to prevent users from uninstalling them.


  • Reply 19 of 19
    Fair question: How did this app make it past Apple's app review process? Some of the things it does like changing its icon or serving ads from the background should, in theory, be impossible due the the API checking that happens when an app is submitted to the App Store. I think this is a much more serious issue than one malicious app. How many other apps are doing malicious things in the background without anyone's knowledge? Time to update the app review software and run ALL apps through the new system including the ones already in the App Store.
Sign In or Register to comment.