Girl flags massive iOS ad scam campaign targeting kids
A tip from a child helped security researchers discover an aggressive scam and adware campaign on both iOS and Android that was being promoted on TikTok and Instagram.
Credit: Benjamin Sow
Researchers from Avast Security discovered the malicious apps when a girl found a TikTok profile that appeared to be promoting an abusive app and reported it. The apps had been downloaded a combined 2.4 million times on the App Store and Google Play.
The apps posed as platforms for entertainment, music downloads, or wallpapers. They served intrusive ads, even when they weren't open in the foreground. And according to the report from Avast, they also used sly tactics to prevent users from uninstalling them.
Avast classified the apps as HiddenAds trojans. The trojan "that disguises itself as a safe and useful application but instead serves intrusive ads outside of the app, and hides the original app icon making it difficult for users to identify where the ads are being served from." Some of them also charged high prices for a download, between $5 to $10.
Many of the fraudulent apps were being promoted by a handful of TikTok and Instagram users, one of which had more than 300,000 followers. According to data from analytics firm SensorTower, the campaign netted more than $500,000 for the person or people behind the scam.
"We thank the young girl who reported the TikTok profile to us, her awareness and responsible action is the kind of commitment we should all show to make the cyberworld a safer place," said Avast threat analyst Jakub Vavra.
The apps violated both App Store and Google Play terms of service by serving ads outside of the app, hiding their app icons, and making false app functionality claims. Avast has reported the apps to Apple and Google, and the social media profiles to Instagram and TikTok.
"It is particularly concerning that the apps are being promoted on social media platforms popular among younger kids, who may not recognize some of the red flags surrounding the apps and therefore may fall for them," Vavra said.
Google has reportedly removed the apps from the Google Play Store. But as of the writing of this article, many of the fraudulent iOS apps are still available on the App Store.
Credit: Benjamin Sow
Researchers from Avast Security discovered the malicious apps when a girl found a TikTok profile that appeared to be promoting an abusive app and reported it. The apps had been downloaded a combined 2.4 million times on the App Store and Google Play.
The apps posed as platforms for entertainment, music downloads, or wallpapers. They served intrusive ads, even when they weren't open in the foreground. And according to the report from Avast, they also used sly tactics to prevent users from uninstalling them.
Avast classified the apps as HiddenAds trojans. The trojan "that disguises itself as a safe and useful application but instead serves intrusive ads outside of the app, and hides the original app icon making it difficult for users to identify where the ads are being served from." Some of them also charged high prices for a download, between $5 to $10.
Many of the fraudulent apps were being promoted by a handful of TikTok and Instagram users, one of which had more than 300,000 followers. According to data from analytics firm SensorTower, the campaign netted more than $500,000 for the person or people behind the scam.
"We thank the young girl who reported the TikTok profile to us, her awareness and responsible action is the kind of commitment we should all show to make the cyberworld a safer place," said Avast threat analyst Jakub Vavra.
The apps violated both App Store and Google Play terms of service by serving ads outside of the app, hiding their app icons, and making false app functionality claims. Avast has reported the apps to Apple and Google, and the social media profiles to Instagram and TikTok.
"It is particularly concerning that the apps are being promoted on social media platforms popular among younger kids, who may not recognize some of the red flags surrounding the apps and therefore may fall for them," Vavra said.
Google has reportedly removed the apps from the Google Play Store. But as of the writing of this article, many of the fraudulent iOS apps are still available on the App Store.
Comments
Apple needs to start a very public campaign of cleaning out the App Store of these sketchy apps, and not limit itself to revoking the developer accounts of these apps, but also banning the actual developers themselves from ever being allowed back into developing apps for the App Store. That’s a hard - if not impossible task, but come on Apple. Last thing Apple needs is damaged trust.
Without consequences, they will continue doing it. There is just so much garbage out there.
As to the “hard to impossible” side of it, consider this: I have 1 game on my phone that I play a couple times a day. It has a “league” where it’s possible to complete with other players but do it requires signing in using a Facebook or Google account, neither of which I have. The latest update for the game came out yesterday and there is still no way to use “Sign In with Apple”, which I thought was supposed to be a requirement by now. Clearly, Apple has not caught that in this app, or I don’t fully understand what the requirements around SIwA are. But if they haven’t caught that, which seems relatively easy on the surface, then it must be much, much harder to catch the sort of app that this article references.
Good questions; the problem is that the writer left out a few details from the original Avast report, the most important part being exactly what platforms were affected by which malware.
From the article:
However, if you read the Avast report, it makes the following very clear:
There is still a serious problem with Apple customers being ripped off by apps like this. Apple needs to tighten up its reviews on any app that is offering in-app purchases. These scammers know that Apple will not actually make a purchase during the reviews, which is why they've hung around so long.
Apple also needs to actually read the app reviews on its own store; they'll be the first clue to a problem. If you're getting hundreds of 1-star reviews for any app or game, then you should at least take a look.
Agreed.
Apple should declare a clean-up month twice a year.
Are the android apps really serving ads outside of the app?
I'm not sure. If the app icon is hidden, then it could be that the app is running in background without a window, but the ad is still inside the app on some sort of timed thread. Not sure; someone who actually programs Android will probably have the answer; I wouldn't touch it to find out.
Like another user posted this is crappy Androids "free and open" system. It would be near impossible to do this on Apple devices.
My mom had a crappy knockoff iPhone that couldn't even design the charger without stealing Apple's design, it would get pop-up ads on the homescreen and the lockscreen. It drove her crazy and it was annoying helping her with her phone when a FULL SCREEN ad would pop up every minute.
- Where's the link to the Avast report?
- What's the name of the girl?
- What are the names of the apps in both the Google Play and iOS App Store?
What's the point of this article? If it's to warn readers of apps to avoid, it doesn't tell what apps to avoid. If it's to recognize the girl's accomplishment, then why keep her anonymous?Zuckergerg whines and complains she's being anti-competitive.
And manufacturers, you forgot the manufacturers.
Doxing the girl, a minor, who reported the app would be unbelievably unethical. That is something you just don't do and AI would never even consider it even if the information was available.
Just no.
https://snyk.io/blog/sourmint-malicious-code-ad-fraud-and-data-leak-in-ios/
"...Malicious code was uncovered in the iOS versions of the SDK from the Chinese mobile ad platform provider, Mintegral dating back to July 2019. The code can spy on user activity by logging URL-based requests made through the app. This activity is logged to a third-party server and could potentially include personally identifiable information (PII) and other sensitive information. Furthermore, the SDK fraudulently reports user clicks on ads, stealing potential revenue from competing ad networks and, in some cases, the developer/publisher of the application."
"...there is a particular routine that attempts to determine if the phone was rooted and if any type of debugger or proxy tools are in use. If it finds evidence that it is being watched, the SDK modifies its behavior in an apparent attempt to mask its malicious behaviors. This may also help the SDK pass through Apple’s app review process without being detected."
Absolutely correct on the doxing. Only an idiot would want a minor's name published under the circumstances. There is no crime in keeping her anonymous and no actual benefit to making her name known.
Even compared to your usual levels of Google cheerleading, this is really a bit desperate.
I did not say that iOS was immune to malware (in fact, no one in this thread has made such a claim). What I said was that the article implied that the iOS sandboxing mechanism was allowing ads to be served outside of applications. But if you look at the actual Avast report, this is not the case. The difference is important: if these ads were being served outside of a running application, then Apple has a serious bug that needs immediate attention, not because of some benign ads, but because what else could be coded up to exploit it.
As it turned out, only the Android platform was (apparently) allowing ads to be served outside of applications, and also allowing apps to be installed with hidden icons. This seems to have triggered your default response: race off and post the first article you can that you hope will distract folk from a potential flaw in Android by pointing the finger at iOS. And as expected the article you pointed at has nothing to do with the problem under discussion (which is actually the quality of the AI article more than anything else).
Your first line was the real giveaway:
Funny that we all know it, but just to keep Google out of the frame, you thought you'd just repeat it. An adware app is an app, so your post is already meaningless. The only way they can block this is by being a lot more thorough and stringent in their review. And even while I have often called for this, I know how difficult it would be without combing through thousands of lines of source code in millions of apps, line by line. Likewise they cannot check the thousands of third-party SDKs that app developers will use.
In much the same way that Android phone makers cheat in hardware reviews by detecting when the phone is running a benchmark, app developers can hide adware functionality by only triggering it after a certain amount of time has elapsed for example.
Still, Apple has done a very good job of keeping the platform reasonably safe, and they've done this because their user base is the most obnoxious, critical, rude, demanding customer demographic on the planet (I should know; I'm one of them). I mean, look at all the whining over a watch strap! Just … just get a strap that doesn't require you to measure your wrist!
On the other hand, Android phones have crapware installed before they arrive and the various stores are rife with dangerous data-thieving applications (other than Google's own applications obviously). And why is this? Simple. Android's user base is more obsessed with convincing itself that the platform is better than Apple, rather than focussing on Android itself. Apple users only care about making the Apple making the Apple platform better and to do that we sometimes have to be obnoxious, critical, rude and demanding.
Something you might want to think about before posting your next irrelevant deflection.
However, there is a link to the Avast article; it's just poorly done.