Selfie apps riddled with fraud, and brands are inadvertently funding them

White Ops has uncovered a fraud operation responsible for developing 38 apps that reeled users in by offering selfie editing and beauty filters, and then used their devices to call up fraudulent ads.

The apps, all developed by the same fraud operation, were collectively downloaded on more than 20 million devices before they were removed from the Google Play Store, and siphoned away an unknown amount of advertising money.

The White Ops report into the fraud operation paints a picture of the cat and mouse game of ad fraud. From January 2019 the fraudsters would publish a new app every 11 days on average, which would be removed from the Play Store around 17 days after it was launched. 

But even with an average lifespan of less than three weeks, the average number of installs for the apps was 565,833—showing the popularity of selfie editing tools.

By September 2019, 21 of the fraudsters' apps had been removed. This is when White Ops believes the group adapted its tactics, developing a more robust mechanism to avoid detection and removal. This assumption is based on the fact that a batch of 15 apps all published after September 2019 had a much slower removal rate than the earlier renditions.

In November 2019 the fraudsters threw a red herring into the operation by removing the majority of fraudulent code from two of their apps, 'Rose Photo Editor & Selfie Beauty Camera' and 'Pinut Selfie Beauty Camera & Photo Editor'. They removed enough of the fraudulent code to render the fraud activity inactive. This may have been an attempt to test which parts of the code were causing the apps to be removed from the Play Store, or a bid to extend the lifespan of the apps. In this scenario, if (or when) the threat actors decide to reactivate the fraud code in these apps via an update, millions of users would become immediate victims of the scheme.

The app developers used several sophisticated techniques to avoid detection by security software like antivirus tools, such as using "packers" to obfuscate the apps' file format, and using verses from the Quran and Chinese symbols within the apps' code to reduce their readability, mislead researchers over their location, and break analysis tools (many of which don't support unicode characters). With each app release their techniques increased in sophistication.

Fraudulent techniques employed by the apps included out-of-context (OOC) ads, in which ads are served to a mobile device when the user is not active in the app, and removal of the app icon from the device’s home and apps folder, to make it nearly impossible for the user to uninstall the app.

The apps used two services to call up either interstitial or native ads targeting different ad networks—one of which called up an ad every 15 minutes, and another which called up an ad every 100 seconds.

The White Ops Satori Threat Intelligence and Research Team is continuing to monitor this threat and will identify any emerging adaptations and new apps that may emerge. The company said: "There’s reason to believe fraud will resume from these bad actors, it’s only a question of where, when, and how."

Ryan Murray, APAC regional director, said it is important that marketers in the region understand the threat of ad fraud operations such as this, especially given the high propensity of mobile.

"In a region where smartphone penetration is due to reach 62% by 2025, marketers in APAC not only need to understand the increasing threat that fraudulent apps represent, both to digital advertising and the end consumer, but more importantly, need to recognise the steps they must take in order to mitigate their exposure to the malicious players," Murray told Campaign Asia-Pacific.

"The sophistication of this operation shows that bad actors are highly innovative and adaptive in nature, highlighting the need for constant vigilance when it comes to identifying and combatting fraudulent activity on mobile devices."