Researchers at bot mitigation firm White Ops have been tracking fraudulent apps in the Google Play store. These apps often imitate legitimate apps, even going so far as to lift code directly from them, but instead of providing true functionality they harvest user data and send it back to command and control servers.
Marcelle Lee is a principal threat intel researcher at White Ops, and she shares their findings.
The original research can be found here
Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday, presented by Juniper Networks. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Dave Bittner: [00:00:26] And now a word about our sponsor, Juniper Networks. Organizations are constantly evolving and increasingly turning to multicloud to transform IT. Juniper's connected security gives organizations the ability to safeguard users, applications, and infrastructure by extending security to all points of connection across the network. Helping defend you against advanced threats, Juniper's connected security is also open, so you can build on the security solutions and infrastructure you already have. Secure your entire business, from your endpoints to your edge, and every cloud in between, with Juniper's connected security. Connect with Juniper on Twitter or Facebook. And we thank Juniper for making it possible to bring you Research Saturday.
Dave Bittner: [00:01:13] And thanks also to our sponsor Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data, all without ever decrypting anything - all without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at enveil.com.
Marcelle Lee: [00:01:53] To have an app in the Google Play Store, actually, there isn't a huge barrier to entry for that.
Dave Bittner: [00:01:58] That's Marcelle Lee. She's a principal threat intel researcher at White Ops. The research we're discussing today is titled, "Another Day, Another Fraudulent App."
Marcelle Lee: [00:02:08] There's a lot of apps that we've come across that, you know, they don't have, like, a known website or, you know, it's not like Zynga. It could be, you know, Marcelle at Marcelle dot com has created some app. So basically, they just join the Google Developer network, and most of the exchange between the developer and the Google Play Store is done via API access. But yeah, like I said, the barrier to entry is pretty low. And Google, of course, does monitor for bad activity, but it's, like everything else in this field, whack-a-mole. It's almost impossible to keep up with everything that's being placed in the Play Store.
Dave Bittner: [00:02:47] And so, you all set your sights on this app that's called "Crazy Brainstorming." First of all, describe to us - what does this app claim that it's going to do for you when you download it?
Marcelle Lee: [00:02:59] Crazy Brainstorming is a game kind of app, and basically like brain teaser puzzles and that sort of thing. That's what it was purported to do. It didn't really function particularly that way, as we reveal within the course of our research. But ostensibly, that's what it was meant to be doing.
Dave Bittner: [00:03:17] And so, I see this app, I think this is something I might be interested in, and I download it. What happens next?
Marcelle Lee: [00:03:23] When you install the app, it goes to a sort of interesting series of - it will launch and put the icon on your desktop or your mobile app screen. And then it basically goes through this self-deletion process or what appears to be a self-deletion process. So, the app icon goes away - you won't find the app listed in your list of apps anymore, but it is actually still there. It just makes it so it's almost impossible for the average user to remove it. So, why does it do this is kind of a good question, right? And really, the main thing that this app seems to be doing is delivering ad content, and also redirecting users to what appears to be, in our estimation, a malicious website.
Marcelle Lee: [00:04:10] And so, with White Ops, that's something that we're particularly focused on, is looking for ad fraud. We work within that advertising ecosystem. And there's actually - I don't know, like the actual dollars involved - but there's lots and lots of money that's lost to ad fraud. So when I say ad fraud, I mean, like, an advertiser will pay for human clicks on a link or things like that, and then people like the developer of this app will cause ads to appear in ways that are sort of not proper, if you will, in terms of how they are displayed and how they appear to the user.
Marcelle Lee: [00:04:47] So, there's many different flavors of ad fraud. And at White Ops we go by - there's actually a taxonomy from a group called TAG. It's the Trustworthy Accountability Group. And to sort of put it in context of cybersecurity, it's almost like an ISAC for advertising industry. So, it's like the same kind of things, but not exactly the same industry, if you get what I'm saying.
Dave Bittner: [00:05:12] Yeah.
Marcelle Lee: [00:05:12] TAG puts out this invalid traffic taxonomy, and it has a variety of different categories of what's considered invalid traffic. And you have general invalid traffic, and then sophisticated invalid traffic. So that's the kind of things that we're looking for, that fall into these categories. And then similarly, from more of a true cybersecurity perspective, we also use the MITRE Mobile ATT&CK framework to categorize that sort of malicious activity. So, we combine both when we're doing the analysis of these apps.
Dave Bittner: [00:05:45] This app installs itself, it hides itself, and then it's using - do I have the pronunciation right? - the Tushu Software Development Kit is what's running under the hood?
Marcelle Lee: [00:05:56] Yes, that is what's running under the hood and your guess on pronunciation is as good as mine. We call it Tushu also.
Dave Bittner: [00:06:02] Okay. Right.
Marcelle Lee: [00:06:02] But yeah. So, the Tushu SDK is really the brains behind the whole thing. There are other SDKs within the app, but this was the one that was really creating most of the malicious activity - things like the ad behavior. And then the other piece is where the app launches this game center thing that looks like an app, and it appears on the screen as an app icon, but it literally is just a browser shortcut, not an actual app. And the Tushu behind all this activity as well. And this is the part where the user is, if they click on that, directed to the website that we discovered that was associated with all this.
Dave Bittner: [00:06:42] Yeah. It's interesting to me that in your research you found that the ads are triggered by a bunch of different activities with a mobile device - things like connecting or disconnecting from a WiFi network. What are the things that it's being triggered by? And why do you suppose it's interested in those changes of state?
Marcelle Lee: [00:07:01] Basically, it's interested in those changes of state because it means that the user is actively on the device and is therefore going to probably see an ad that pops up. So it does these full screen ads that are completely out of context from the app. Like, the ad pops up, you have absolutely no idea, as a user, where it came from. And you wouldn't necessarily be able to tie it back to the Crazy Brainstorming app, because as far as you knew, on your phone, that was not even on there anymore, right? It looks like it disappeared.
Dave Bittner: [00:07:28] So they're not trying to hide the ads behind things. They are actually displaying the ads?
Marcelle Lee: [00:07:33] Absolutely, displaying the ads. Which is - the hiding of the ads is another type of ad fraud, where you basically are showing a bunch of ads that nobody ever sees. But these ones are seen, and they're very invasive, too, because they're popping up full-screen, as I said, and it's hard for the user to get around them. Like, pretty much, the average user is going to probably click on the ad just trying to get rid of it. And that's going to often take them to the other website.
Dave Bittner: [00:08:00] And that's when they make their money, I suppose.
Marcelle Lee: [00:08:02] Yeah, they make the money from the ads. And then, also, there's even more crazy ad stuff happening on the website as well. But yeah, so things like network connectivity changes, the home key being pressed, unlocking the phone - these are all user probably initiated activities and would all give rise to an ad appearing.
Dave Bittner: [00:08:24] This Crazy Brainstorming app - it downloaded another app? It was sort of functioning as a dropper?
Marcelle Lee: [00:08:30] So, it wasn't actually another app, it just had the appearance of an app.
Dave Bittner: [00:08:35] Hmm.
Marcelle Lee: [00:08:35] So, it looked like something was installed called "Game Center" on the screen of the device, but in actuality it was just a browser shortcut. So, just imagine it was a hyperlink hidden behind an icon. And so, as soon as you click that, you didn't actually launch an app, you just opened a website.
Dave Bittner: [00:08:57] And what was at that website?
Marcelle Lee: [00:08:59] So, that was the H5 Games website. And there were various different sort of iterations, but h5games[.]top was the one that we did most of our research on. Now, we're talking about a traditional website, and it's called Game Center. It appears to be a website that just has games for you to play, and lots of advertising too, of course. And some of the advertising was legit, but a lot of it was somewhat less than legit, I guess I'll say.
Dave Bittner: [00:09:28] Mm-hmm.
Marcelle Lee: [00:09:27] And then the games themselves, when you tried to actually play a game on this website, it didn't really work. Like, it was really laggy or, you know, you would click on things and nothing actually happened. So, the game aspect of it didn't really seem to be legit at all.
Dave Bittner: [00:09:46] Were they trying to download malware onto your system as well?
Marcelle Lee: [00:09:51] Yeah, so, this was actually pretty crazy. I don't think I've ever seen a website quite this busy with trying to install things on your computer. There was just a lot of pop-up ads, and some of the ones that we saw were - it was this thing called Doc2PDF, which was ostensibly an application that would allow you to convert, like, say, a Word doc to a PDF. And that one - I think we have a screenshot in the blog about it - the permissions that this particular file requested were kind of crazy, right? Just accessing all kinds of information, and reading and modifying bookmarks, storing client data.
Marcelle Lee: [00:10:25] So that was one example, but there were many, many different ads that kept popping up. And it was kind of funny, Dave, because, like, almost all of these, they were either like an executable that you would download, or they were a browser extension. And the browser extensions were often bundled with their own little search engine or whatever. So, if you started to download all these, you'd basically have, like, all these different browser extensions that were kind of tripping over each other trying to be the search engine of choice.
Dave Bittner: [00:10:54] (Laughs) Trying to push each other out to get to the head of the line.
Marcelle Lee: [00:10:57] Yeah. (Laughs) Exactly. So it was kind of funny.
Dave Bittner: [00:10:59] When you say these are trying to download executables, I mean, we're on a mobile device - are these desktop executables, or are these things designed to run on the mobile device?
Marcelle Lee: [00:11:10] So, these are actually desktop executables, which is sort of interesting...
Dave Bittner: [00:11:13] Huh.
Marcelle Lee: [00:11:12] ...Because you would think it's not really going to work on a mobile device. So, the only think I can think with that, really, is I did see some suggestions, when the site was still up, that you could use this app in emulated device on your Windows desktop computer. So, say you're running some kind of Android emulator to play games, which apparently is a thing that people do. It's not a thing that I do (Laughs). But yeah, so, if you were doing this on a Windows desktop, then absolutely these executables would impact you. But, I mean, overall, it didn't seem like terribly well-thought-out for that aspect of it.
Marcelle Lee: [00:11:51] And another thing that kind of pointed to being kind of, I don't know, low-level player or noobish, was the advertisements, when you clicked on them in the website, they would just launch like within that same tab in the window. And like, if you actually wanted to go back to the website, you had to do that - you had to hit back. And websites don't render ads that way, right?
Dave Bittner: [00:12:14] Mm-hmm.
Marcelle Lee: [00:12:13] They don't want you to go off to another site and then lose your attention. So that was a bit of an anomaly, in terms of just sort of normal behavior.
Dave Bittner: [00:12:23] Now, in terms of the actual Crazy Brainstorming app, you all dug in there and you found that it was likely borrowing code from a legit app?
Marcelle Lee: [00:12:32] Yes. We discovered a bunch of references within the code to this other company, basically in their app. And when we dug into that, we discovered that it was a legitimate company, at least it appeared to be. And, you know, they had a number of games. And so we did this code comparison, and turned out that, like, at least 70 percent and probably more of the code was exactly the same in the Crazy Brainstorming game part as in this app from Rention. So, basically, they just lifted the code from another game. But it didn't work very well, because it kept, like, the code was so copied that it was calling back to the legit company for information...
Dave Bittner: [00:13:12] Oh, wow.
Marcelle Lee: [00:13:12] ...And it just didn't work. (Laughs)
Dave Bittner: [00:13:15] Walk through this with me, my line of thinking here, because it sounds like the Crazy Brainstorming app never actually runs. You can actually play Crazy Brainstorming on your device because the first thing it does is it hides itself.
Marcelle Lee: [00:13:29] Yeah, basically.
Dave Bittner: [00:13:29] So, do we suppose that that code is in there to get it past code review?
Marcelle Lee: [00:13:35] It could be. I'm speculating here...
Dave Bittner: [00:13:38] Yeah.
Marcelle Lee: [00:13:38] ...Because I don't really know, but that would make sense. Trying to get past code review or just to at least have the appearance of a real game. Because, I mean, there is, before it deletes itself, it drops that Game Center shortcut...
Dave Bittner: [00:13:51] Right.
Marcelle Lee: [00:13:50] ...And you could theoretically play it for a bit there. But like we said, it doesn't really work. So, yeah, it's a bit odd, because really the delivery seems to be of primarily the ads, which never really stop. And then the redirection to the website that we talked about. I don't know, it didn't seem terribly sophisticated, in terms of being able to see exactly, like, what the purpose was of this thing.
Dave Bittner: [00:14:17] Right. It also leaves me scratching my head that there were over a million downloads of this.
Marcelle Lee: [00:14:24] Yeah. In like a month.
Dave Bittner: [00:14:26] Yeah. Well, and are there no reviews? I don't know about you, but before I download an app, I generally check the reviews, and I can't imagine there would be positive reviews for an app like this. Any insights there?
Marcelle Lee: [00:14:39] Yeah. So, this is a bit of a mystery to our team as well. We haven't quite worked out how an app like this can show that it has a million downloads. We doubt that it legitimately had a million downloads, so there must be some way to, like, spoof that. And that part we haven't figured out yet.
Dave Bittner: [00:14:58] Oh.
Marcelle Lee: [00:14:58] But we've seen this with other apps. And it's just - it makes no sense for an app of this nature to be on the Play Store for like a month and get a million downloads
Dave Bittner: [00:15:10] I see.
Marcelle Lee: [00:15:10] Unless - the other thing is, you know, do they have bots, like, driving the activity and it really was a million downloads? So, we're not sure.
Dave Bittner: [00:15:18] Yeah, but they're using that display of a million downloads as a misdirection for people to say, oh, well, if a million people downloaded this, it must be good.
Marcelle Lee: [00:15:26] Exactly.
Dave Bittner: [00:15:26] I see.
Marcelle Lee: [00:15:26] And we've seen that with other apps too. So, I don't know how they do it, but I would definitely say it's a spoofed figure - not real.
Dave Bittner: [00:15:32] Okay.
Marcelle Lee: [00:15:33] So, yeah, you bring up a good point, because I try to caution people all the time about being careful about what they are downloading on their phones, because I think the average person tends to think if it's coming from the Play Store or, you know, the iTunes store, then it's probably legit. And that just isn't the case, right? So, like you said, looking at the reviews is a good way, and this app did not have good reviews at all. People were like, it doesn't work, it's nothing but ads.
Dave Bittner: [00:16:01] Mm-hmm.
Marcelle Lee: [00:16:01] You know, things that were true. And then if you look at the developer, that's something that I'll look at as well. And in this case, the developer was a Linda Wang, which is sort of weird - usually it's like a company name, not a person's name. Their contact information was just a rando Gmail address. All these are things that would be red flags to me. Like, I want to see a known developer and, like, an actual website that I could go to to check them out...
Dave Bittner: [00:16:32] Right.
Marcelle Lee: [00:16:32] ...As opposed to, you know, this sort of thing.
Dave Bittner: [00:16:35] Now, suppose somebody downloads this. It's on their mobile device. Was there any hope of your average, you know, mere mortal removing it?
Marcelle Lee: [00:16:43] It would be really tricky for the average person to do it because, you know, like I said, the icon itself disappears, so you can't do the little finger drag to uninstall, and it doesn't show up in the list of apps either. So, you would basically have to go into settings somewhere, where apps were listed in another capacity, and remove it that way. But it wouldn't be an easy thing to do.
Dave Bittner: [00:17:10] All right. Well, what are your recommendations, then, for folks to protect themselves against this? I mean, what are the red flags?
Marcelle Lee: [00:17:17] Well, some of the things I said, you know, before you even download it, but once you downloaded an app, you're going to get a notification of what sort of permissions that app wants. This is another area to be cautious because, you know, if it's like, say, a Crazy Brainstorming game app and it wants to know where you're located, and you know, there's different locations too, like general versus sort of like a very granular. Does it want access to all your contacts? So on and so forth. There's a lot of sort of permission red flags for me.
Marcelle Lee: [00:17:47] I also recommend that everybody has antivirus or anti-malware installed on their mobile devices, because that's saved me more than one time, in terms of not getting dinged by an app that was malicious, or a website, too. It'll usually protect you from bad browsing stuff. So, I always recommend that. And it's surprising, Dave. Like, hardly anybody I know ever has that on their phone.
Dave Bittner: [00:18:13] Yeah, it's interesting. I think you folks have a little - a false sense of security. I think they think that these app stores are going to protect them, and that's not always the case.
Marcelle Lee: [00:18:21] Yeah, it really is. It's just, like I said before, whack-a-mole. There's just too much out there to keep on top of. So, yeah, it's pretty interesting. And I will say, as a general rule of thumb, like, I don't recommend installing, like, apps that are flashlights. Flashlight apps are notorious for carrying malware with them. And most phones already have flashlights, so it's a little redundant anyway. Also, a lot of apps that say that they're antivirus are sometimes malware as well. So again, you have to be careful, like who is that publisher of that app? You know, is it coming from a known antivirus company or is it coming from Linda Wang? So, just things look out for.
Dave Bittner: [00:19:04] Our thanks to Marcelle Lee from White Ops for joining us. The research is titled," Another Day Another Fraudulent App." We'll have a link in the show notes.
Dave Bittner: [00:19:14] Thanks to Juniper Networks for sponsoring our show. You can learn more at juniper.net/security, or connect with them on Twitter or Facebook.
Dave Bittner: [00:19:23] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at enveil.com.
Dave Bittner: [00:19:31] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben. Our amazing CyberWire team is Stefan Vaziri, Tamika Smith, Kelsea Bond, Tim Nodar, Joe Carrigan, Carole Theriault, Nick Veliky, Bennett Moe, Chris Russell, John Petrik, Peter Kilpe, and I'm Dave Bittner. Thanks for listening.
Copyright © 2020 CyberWire, Inc. All rights reserved. Transcripts are created by the CyberWire Editorial staff. Accuracy may vary. Transcripts can be updated or revised in the future. The authoritative record of this program is the audio record.
Juniper Networks challenges the status quo with products, solutions and services that transform the economics of networking. Our team co-innovates with our customers and partners to deliver automated, scalable and secure networks with agility, performance and value. Additional information can be found at Juniper Networks.
Enveil is revolutionizing data security by addressing a Data in Use vulnerability that people have been chasing for more than 20 years. Founded by U.S. Intelligence Community alumni, Enveil’s ZeroReveal™ solutions ensure data remains encrypted throughout the processing lifecycle. Learn more at www.enveil.com.