Fraudsters deploy hundreds of retro game emulators to unwitting users in Asia

White Ops has identified a series of more than 240 Android apps that employed the same architecture to call up out-of-context (OOC) ads on users' devices and siphon away legitimate advertising spend.

The apps masqueraded as Nintendo (NES) emulators, which are pieces of software that mimic the hardware of an old-school console, allowing a user to open and run classic games on their mobile device or computer. White Ops dubbed the scheme 'RAINBOWMIX' as a nod to colourful retro video games.

Once the apps were installed on a user's device, they would display an OOC ad every 10 minutes. The ads were made to appear as though they were coming from popular applications and social-media platforms including YouTube and Chrome—enabling them access to the advertising supply chain.

The RAINBOWMIX assortment of apps spiked in volume in mid-to-late May and recorded considerable amounts of traffic over several months. 

The apps garnered more than 14 million downloads, and at their peak collectively recorded more than 15 million ad impressions per day.

The graph below shows the overall RAINBOWMIX volume (in blue), as well as the volume from eight of the highest volume apps in the time period.

Volume of apps from May 1 - August 15, 2020. Source: White Ops Threat Intelligence

Since the apps were downloaded on real user devices, all the traffic is legitimate. The traffic from the operation originated primarily from the Americas and Asia. The top five countries include Brazil (20.8%), Indonesia (19.7%), Vietnam (11%), the US (7.7%), Mexico (6.2%) and the Philippines (5.9%).

All of the apps associated with the RAINBOWMIX operation have since been removed from the Google Play Store.

How it work worked

White Ops detailed the workings of the fraudulent operation in a white paper.

The developers of the fraudulent apps ripped emulators from legitimate sources or low quality games, so they did offer what they claimed, albeit at a poor quality. For example, in the review section of one of the apps, users suggested the app was barely functional and many reported seeing out-of-context ads. It's why most of the RAINBOWMIX apps had a “C-shaped rating distribution curve” with primarily 1- and 5-star reviews—common with suspect apps, White Ops said.

The apps used 'packers' to bypass certain security protocols. A packer is software that saves a bit of space and obfuscates the final payload. When the appropriate time comes, the packer will “unpack” what it contains. They are now frequently used for intellectual property protection or malicious code that tries to bypass antivirus engines.

The code responsible for the OOC ads is located in packages that belong to spoofed versions of legitimate SDKs, such as Unity and Android. White Ops did not detect any fraud directly tied to such legitimate SDKs. All of the apps discovered seem to possess fairly low detection ratings across AV engines, largely because of the packer being used.

In the report, White Ops said the use of packers is "not a very sophisticated tactic".

The developers of the apps employed other techniques to evade detection, such as renaming the interstitial component of the ad SDKs to make it appear as the though ads are coming from well-known apps.

The same fraudulent architecture was written into all of the apps analysed to trigger the OOC ads. After a user installs the app, a URL (which is hidden) is contacted and the fraudulent ad network is activated. The domain used as the command-and-control for the operation was created in February 2017 but appears likely to be a hacked website, White Ops said. The domain was used by the threat actors to instruct the fraudulent app to show the OOC interstitial ads.

Seconds after installation, an AdColony interstitial would appear on the infected device’s screen, with an icon that implied to the user that the ad was being presented by a different app from the app that was actually showing it.

Another SDK would then take over and try to display an OOC ad every 10 minutes. This SDK, Ironsource, is legitimate and is "unlikely involved or aware of the abuse", White Ops noted.

The fraudsters behind RAINBOWMIX tracked when users turned their screen on and off to determine a good time to pop up an ad that would make the ad impressions count.