Researchers: Gabi Cirlig, Vikas Parthasarathy, Dr. Michael Moran, Michael McNally, Inna Vasilyeva, Mikhail Venkov, Federico Harrington, Adam Sell

HUMAN’s Satori Threat Intelligence and Research Team has been investigating a CTV-centric botnet—dubbed PARETO—since the first half of 2020. The botnet took advantage of the shift to digital accelerated by the pandemic by hiding in the noise in order to trick advertisers and technology platforms into believing that ads were being shown on CTVs. Today, we’re revealing technical details of PARETO’s inner workings in an effort to help the industries impacted better understand the nature of the threat and how to prevent it from recurring in the future.

HUMAN worked closely with our partners in The Human Collective (our recently-launched industry-wide initiative for protecting the digital advertising ecosystem from the impacts of fraud)—including Omnicom Media Group, The Trade Desk, and Magnite—and with Google and Roku to disrupt the functional components of PARETO.

The PARETO operation has been sophisticated and evasive over the last year. However, for each spoofing cycle, as PARETO launched a new disguise for their fake traffic, HUMAN was able to detect and continuously innovate techniques to protect our customers. While we’ve been mitigating the impacts of this operation for much of the past year, as PARETO became more sophisticated and evasive, we concluded that the time had arrived to take collective action in concert with our partners. We chose to act now to protect the digital advertising ecosystem from the long-term impacts of PARETO.

In short, the PARETO botnet is nearly a million infected Android devices pretending to be millions of people watching ads on smart TVs and other devices, causing invalid traffic on streaming platforms. PARETO-associated traffic accounted for an average of 650 million daily bid requests witnessed by HUMAN’s Advertising Integrity solution, the result of 29 Android apps spoofing more than 6,000 CTV apps. Several of the Android apps were available only through third-party marketplaces. PARETO exploited many organizations and components in the advertising technology ecosystem; references to them within this analysis do not imply complicity in the operation.

HUMAN’s Satori team also observed a distinct-but-connected operation on Roku: we found a collection of 36 apps on Roku’s Channel Store that received instructions from the same command-and-control (C2) server that was operating nodes in the PARETO botnet. These apps, in a similar fashion to the Android-based PARETO apps, were spoofing smart TV and consumer streaming device ad impressions. This operation was significantly smaller than the Android-centric operation.

Connected TV (CTV) provides massive opportunities for streaming services and brands to engage with consumers through compelling content and advertising. Because of this opportunity, it is incredibly important for the CTV ecosystem and brands to work together through a collectively protected advertising supply chain to ensure fraud is recognized, addressed and eliminated as quickly as possible to ensure the ecosystem realizes the full benefits of creating a great CTV customer experience that is free of fraud.

The research below is presented in three primary sections: static analysis (what the Satori team saw in the code itself), dynamic analysis (what the team witnessed the apps in question doing when operational), and threat intelligence analysis (what the team found by way of additional context to the other findings). For a simpler look at PARETO, please see our other blog post on the investigation.

 

Background

The Satori team identified a collection of Android devices passing themselves off as CTV devices, using common user agents associated with real consumer streaming devices. On closer inspection, HUMAN’s Reverse Engineering team discovered an app, the investigation of which uncovered a broad operation committing ad fraud through a proprietary SDK that spoofed CTV devices at a very large scale.

The Satori team found a total of 29 Android apps operating a botnet—dubbed PARETO—which forces infected devices to visit URLs specified by the operator of the botnet via an SDK, named TopTopSDK. This SDK is used mainly for sending fake CTV ad impression events. The botnet and its actions are controlled by a command-and-control (C2) JSON server that is pinged for new commands every 30 seconds. The URL differs from app to app, but the root C2 is the same for every one of them. The JSON is very similar among them, indicating the frequency of ad rotation and the device brand.

Several apps (36 in total) on Roku’s Channel Store connected to the same C2 server, and received instructions that indicate the apps were spoofing ad impressions on other consumer streaming devices. Those apps were contacting the same C2 JSON server as the PARETO apps and the TopTopSDK.

 

Static Analysis

For simplicity’s sake, we’ll look at a recent version of the PARETO Android SDK. TopTopSDK matured through multiple stages as time went on, progressing from a simple clicker with user agent spoofing capabilities to a full-blown SSL emulation stack.

App Name

Any Light

Package Name

com.bestMedia.anylight

SHA256

EB1CE970C1533E4292344AA883A1C37C7C00830E1F2CE9EB91DAB87816F95680

File Size

8.8 MB

Google Play Store Link

hxxps://play.google.com/store/apps/details?id=com.bestMedia.anylight

Current Version

1.5

Developer

Minitools Games

 

On first glance, the app’s Play Store listing doesn’t suggest anything might be amiss. The record doesn’t indicate any ads are shown in the app.

 

any light

App on the Google Play Store
Source: HUMAN's Satori Threat Intelligence and Research Team, November 2020

 

On looking behind the curtain at this app, we can see an odd-looking SDK that had no place inside of an ad-free app:

Suspicious SDK content (earlier version)
Source: HUMAN's Satori Threat Intelligence and Research Team, November 2020

 

Notice the ClickURLsService service. The above SDK content is from an earlier iteration, which didn’t try to hide its SDK as much as newer instances do. Fast forward a couple of months and only a few classes are still out in the open:

 

Suspicious SDK content (current version)
Source: HUMAN's Satori Threat Intelligence and Research Team, March 2021

 

The class StartServiceReceiver extends Android’s BroadcastReceiver in order to trigger the automatic C2 pinging on boot. This behaves like a persistence mechanism, allowing the app to get a new batch of work every 30 seconds from the C2:

 

The alarm extension of the receiver
Source: HUMAN's Satori Threat Intelligence and Research Team

 

Deeper in the app’s code, we can find a base64-encoded string which points to the master C2 url:

 

base64

Base64 encoded string
Source: HUMAN's Satori Threat Intelligence and Research Team

 

It also initializes a shared preference property with default values for spoofing the ciphers of various CTV devices when reporting impression events. Interestingly, while the earlier version of the SDK has these strings encoded with the base64 algorithm, the newer version only tries to obfuscate the C2 URL.

The master C2 contains two fields for additional configuration for cipher spoofing and separate C2 endpoints from which all the apps in the operation can pull work.


Raw data of the packet including cipher configurations
Source: HUMAN's Satori Threat Intelligence and Research Team

 

Both the ciphers and the data fields require us to remove the first 10 bytes of the string in order to make it base64 compliant. Once decoded, the data field lists the apps and their respective endpoints:

 

data field

Decoded Data field
Source: HUMAN's Satori Threat Intelligence and Research Team

 

Based on the information in the received file, the Satori team has been able to identify the apps that contain the TopTopSDK.

Visiting the URLs uncovers a two-field JSON that’s not legible by default:

 

JSON fields
Source: HUMAN's Satori Threat Intelligence and Research Team

 

Instead, we need to isolate the decryption routine, extract it and run our own decryptor separately:

 

In app decryption routine
Source: HUMAN's Satori Threat Intelligence and Research Team

 

As we can see, it is a simple implementation of AES CBC encryption with a hardcoded key and a variable IV. Decryption requires pulling the snippet out and running it over a JSON response received from the server:

 

Implemented decryption mechanism
Source: HUMAN's Satori Threat Intelligence and Research Team

 

Visiting the URL by itself doesn’t uncover anything noteworthy. But detonating the sample (seen later) will show more. By further static analysis we can get a glimpse at what kind of response we’d expect from a full C2 response:

 

acad

Expected data from C2 in a.c.a.d
Source: HUMAN's Satori Threat Intelligence and Research Team

 

By using a custom TLS stack and HTTP client, the operators have full header and cipher control of the communication. They can also spoof device characteristics such as window dimensions.

Initially, this was done through fine control of the okhttp3 library.

 

Initial okhttp3 Code
Source: HUMAN's Satori Threat Intelligence and Research Team

 

As time passed, the operators increased their sophistication and even started working on their own HTTPS client.

 

custom https

Current code with custom HTTPS implementation
Source: HUMAN's Satori Threat Intelligence and Research Team

 

It features its own cipher implementation and protocol customization:

 

cipher

In-app cipher and protocol setup
Source: HUMAN's Satori Threat Intelligence and Research Team

 

Custom SSL Library Implementation

Work pulled from the C2 server gets routed through the library’s custom okhttp3 implementation.

 

Worker entry point
Source: HUMAN's Satori Threat Intelligence and Research Team

 

Depending on which CTV device is intended to be spoofed, different ciphers and okhttp configurations are used:

 

Cipher selection per device
Source: HUMAN's Satori Threat Intelligence and Research Team

 

 

Big switch block controlling cipher selection
Source: HUMAN's Satori Threat Intelligence and Research Team

 

Vanilla okhttp ConnectionSpec
Source: HUMAN's Satori Threat Intelligence and Research Team

 


While the default okhttp
ConnectionSpec class was not modified, they did tamper with the default interceptor on the socket level in order to add some Roku edge cases.


Side by side comparison of original okhttp and the patched version
Source: HUMAN's Satori Threat Intelligence and Research Team

 

As it can be seen, the extra Roku bytes are not sent over the socket in the unmodified library, while in the tampered version, they took great care into emulating the behaviour of an actual device. Also note the class C0075f when they get the socket object inside the interceptor they patched:  

 

Patched okhttp interceptor
Source: HUMAN's Satori Threat Intelligence and Research Team

 

This is an extension of the socket that they use to spoof TLS traffic of various CTV devices. By patching the okhttp interceptor, the library has TCP-level control over the flow of data. Inside, we can see the implementation of various ciphers commonly used among CTV devices:

 

Socket wrapper
Source: HUMAN's Satori Threat Intelligence and Research Team

 

Dynamic Analysis

The initial command and control server is a JSON hosted inside an open S3 bucket:

 

First connection to the C2, after installation
Source: HUMAN's Satori Threat Intelligence and Research Team

 

Second request with the ciphers and secondary endpoints
Source: HUMAN's Satori Threat Intelligence and Research Team

 

After some adjustments, we managed to get some work from the C2 server. As the app spoofs its devices, so can we spoof ours in order to make them more appealing for the threat actors. For instance, the botnet’s operators appear to be targeting US-based devices.

 

encrypted

Encrypted workload received from the C2
Source: HUMAN's Satori Threat Intelligence and Research Team

 

By decrypting the C2 request, we can observe the work that’s been tasked for the device to do. It instructs the device to visit a specific URL and spoof a certain CTV device.

 

Decrypted request with C2 instructions
Source: HUMAN's Satori Threat Intelligence and Research Team

 

This allows the malicious app to visit any URL the C2 might send while impersonating any device. The requests are handled by the initial okhttp3. Further requests are spoofed by the built-in library.

 

C2 communication and device spoofing
Source: HUMAN's Satori Threat Intelligence and Research Team

 

It is worth noting that TopTopSDK also spoofs the more than 6,000 CTV apps that send the impressions through the URL that is sent to the impressions server. Spoofing those apps is straightforward, requiring only a change to one string parameter.

Shifting to the adjacent Roku operation, we can see that on install, several apps contact the same C2 server as the PARETO Android apps:

 

VertaMedia Edited

AdConfig Section of NinjaSlash Roku App
Source: HUMAN's Satori Threat Intelligence and Research Team

 

Notice the aminaday[.]com URLs in multiple places in the above screenshot.

HUMAN tested the endpoint with Roku user-agents:

 

 

In one iteration, HUMAN observed a GTV Device being spoofed in a ClickThrough event.  Note that the app spoofed here is just one example of over six thousand apps that the PARETO botnet spoofed in our observations. As in this instance, a majority of spoofed apps are apparent victims of PARETO, just as the CTV platforms and major intermediary ad networks were.

fawesome

 

Similarly, HUMAN observed another VAST XML being served by the same C2, creating multiple impressions with spoofed device user-agents:

 

AdMixer Edited-1

VAST XML Served by C2 Server, Spoofing Multiple CTV Devices
Source: HUMAN's Satori Threat Intelligence and Research Team

 

The second C2 URL is within dataPartnerConf. This C2 URL has a first-level directory, the same as that of the C2 in the Android operation. This endpoint alternatively sends encrypted command schemes, as observed in the Android operation. Further, the endpoint also sends out clear text urls to connect.

 

The C2 endpoint sending encrypted commands
Source: HUMAN's Satori Threat Intelligence and Research Team

 

C2 endpoint sending URLs to visit
Source: HUMAN's Satori Threat Intelligence and Research Team

 

Threat Intelligence Analysis

Here’s a screenshot—which should look familiar—of the TopTopSDK within one of the PARETO-connected apps:

 

toptop.sdk is the name of the SDK in Android apps
Source: HUMAN's Satori Threat Intelligence and Research Team

 

On their own website, TopTopMedia shortens this name to “TTM”:

 

TopTopMedia referring to itself as TTM on its site.
Source: TopTopMedia website

 

This name shortening is notable, as it correlates to a reference to the operation’s SDK as seen in the traffic associated with the botnet:

 

References to TTM in botnet traffic
Source: HUMAN's Satori Threat Intelligence and Research Team

 

As to the Roku operation, Playtium linked to a TopTopMedia website for a privacy policy attached to one of its apps, linking the two beyond the shared C2 server:

 

Playtium Privacy Policy Linking to TopTopMedia
Source: HUMAN's Satori Threat Intelligence and Research Team

 

Appendices

Appendix 1: C2 Domains

The following domains are passive DNS entries for the C2 server in the PARETO botnet:

C2 Domains:

aminaday.com

iamadsco.com

admarketingads.com

mobileadsrv.com

adsrvus.com

admobilerv.com

webadsrv.com

adstreamrv.com

adadsrv.com

advertisementforyou.com

adservernet.co

kryptonads.com

videoscommercials.com

streamadsonline.com

springrollfit.com

rolladstech.com

fullfacility.net

digitalmobilespace.com

admguide.com

admmart.com

digimobileworld.com

 

Appendix 2: IP Addresses

The following IP addresses are hosting the PARETO SDK:

IPs:

34.236.25.172

54.86.138.219

52.70.161.99

52.23.54.114

34.200.125.153

52.39.34.238

54.68.196.177

44.240.64.187

52.10.147.102

52.25.80.222

54.69.50.228

34.217.164.136

44.239.49.7

44.229.182.18

52.34.130.165

44.239.30.63

52.25.201.50

54.144.32.227

18.208.2.37

52.202.198.13

 

Appendix 3: List of Android Apps

The following are Android apps associated with the PARETO botnet, and should be removed from all devices:

App name

Package name

Installs

Play Store

SDK

Flash Light

com.digtoymedia.flashLight

100,000+

Yes

Yes

Mobile Screen Recorder

com.wwmmedia.screenrecorder

1,000+

Yes

Yes

 

com.gr8media.pinpulls

 

No

Yes

 

com.bestMedia.flashLight

 

No

Yes

 

com.freemedia.callrecorder

 

No

n/a

Sling Puck 3D Challenge

com.gr8media.slingpuck

100,000+

Yes

Yes

Hole Ball King

com.gr8media.holesking

10,000+

Yes

Yes

 

com.m360tech.LightTorch

 

No

Yes

 

com.toptop.toptopsdk4

 

No

Yes

Carpet Clean 3D

com.gr8media.carpetclean

5,000+

Yes

Yes

Save The Balloons

com.wwmmedia.ballonssave

50,000+

Yes

Yes

 

com.wwmmedia.flashLight

 

No

Yes

Light Torch SOS

com.nitzanMedia.sosFlashTorch

10,000+

Yes

Yes

 

com.debug.testApp

 

No

Yes

 

com.release.prod_sdk

 

No

Yes

 

com.bestMedia.flashLightV2

 

No

n/a

 

com.toptop.toptopsdk7

 

No

Yes

 

com.toptop.toptopsdk8

 

No

Yes

 

com.toptop.toptopsdk9

 

No

Yes

 

com.toptop.toptopsdk10

 

No

Yes

 

com.toptop.toptopsdk11

 

No

Yes

 

com.toptop.toptopsdk12

 

No

Yes

 

com.toptop.toptopsdk13

 

No

Yes

 

com.toptop.toptopsdk14

 

No

Yes

 

com.toptop.toptopsdk15

 

No

Yes

 

com.toptop.toptopsdk16

 

No

Yes

 

com.toptop.toptopsdk17

 

No

Yes

Any Light

com.bestMedia.anylight

10,000+

Yes

Yes

Bump Challenge - MultiSport

com.m51.colorbump

5,000+

Yes

Yes

 

Appendix 4: List of Roku Apps

The following are Roku apps drawing instructions from the C2 server associated with the PARETO botnet, and should be removed from all devices:

Channel/Game

Roku ID

Channel Link

Developer Name

Balloon Madness

276870

hxxps://channelstore.roku.com/details/276870/balloon-madness

Playtium

Galactic Hero

614487

hxxps://channelstore.roku.com/en-ot/details/46948bd515c16ea0eead2161fb92d6dc/galactic-hero

Playtium

Ninja Slash

618235

hxxps://channelstore.roku.com/en-ot/details/834ee2773cc17727842afd1892171e62/ninja-slash

Playtium

Cool Slots

607935

hxxps://channelstore.roku.com/en-ot/details/ec2786b2597c17d723cdc4ad4f9ba7b8/cool-slots

Playtium

Video Poker Casino

604265

hxxps://channelstore.roku.com/en-ot/details/79def867b2bd25e3e1e757eca09d8b2b/video-poker-casino

Playtium

Jet Jumper

614527

hxxps://channelstore.roku.com/details/478aea22b1c093d402ea7d570bf70d1a/jet-jumper

Playtium

Mega Slots

574516

hxxps://channelstore.roku.com/en-gb/details/574516/mega-slots

Playtium

Starx-Sort Puzzle

617310

hxxps://channelstore.roku.com/en-ot/details/dd658f5f6d2ab49d74d1ac3d5e41ae38/stax-sort-puzzle

Playtium

Cowboy Slots

584115

hxxps://channelstore.roku.com/en-ot/details/dc98835061e57f4c2b2e9cf8803b531d/cowboy-slots

Playtium

Video Blackjack

611325

hxxps://channelstore.roku.com/en-ot/details/3451751a70fc90e3d22dc8412d9eb4b8/video-blackjack

Playtium

Bingo Rush

606644

hxxps://channelstore.roku.com/details/54ccecaf85dee9274a217f5fb657cc13/bingo-rush

Playtium

Bing Rush Vacations

618110

hxxps://channelstore.roku.com/details/02083a8e5e7e423c52f91a6015c3e79a/bingo-rush-vacations

Playtium

Video Poker Fortune

604192

hxxps://channelstore.roku.com/details/fe1b9c6f3d38b1be55065873d30b8aa9/video-poker-fortune

Playtium

Video Poker Club

585531

hxxps://channelstore.roku.com/details/3a48fed499450c4e6191ed48380d588a/video-poker-club

Playtium

Fantasy Slots

577524

hxxps://channelstore.roku.com/details/377a53c1d645989199c2bbf3f7d00125/fantasy-slots

Playtium

Monster Crusher

617203

hxxps://channelstore.roku.com/details/d14c42f1d0da28d7179509d65558c12b/monster-crusher

Playtium

Sports Slots

588317

hxxps://channelstore.roku.com/details/d5eee1b92b283f4341db69680f7490ed/sports-slots

Playtium

Spooky Slots

596355

hxxps://channelstore.roku.com/details/e600a2d0a3a1f2debaa43b4e3c96b045/spooky-slots

Playtium

Video Poker Old West

604287

https://channelstore.roku.com/en-gb/details/260144b67c74ff1709e614dbe70062a6/video-poker-old-west

Playtium

Video Poker Diamond

604266

https://channelstore.roku.com/en-ot/details/9ce777479b2e7a398613342defa50ca3/video-poker-diamond

Playtium

Video Poker Casino

604265

https://channelstore.roku.com/en-ot/details/79def867b2bd25e3e1e757eca09d8b2b/video-poker-casino#!

Playtium

Video Poker The Movies

604256

https://channelstore.roku.com/en-ot/details/5f7a0af5ac5fa30722f01ec6fb45f073/video-poker-the-movies

Playtium

Video Poker Runway

604248

https://channelstore.roku.com/en-ot/details/c1fb0a3ee428e4957f88c389469fe48d/video-poker-runway

Playtium

Video Poker London

604233

https://channelstore.roku.com/en-ot/details/d6e740a68420efdbc6ef4aca937a4ba5/video-poker-london

Playtium

Fire Slots

596357

https://channelstore.roku.com/en-ot/details/32089ced6e93ec4bddc212c6a7218ac9/fire-slots

Playtium

Diamond Slots

596343

https://channelstore.roku.com/en-ot/details/3868b6e0d1f3dca3881bc36115eabe27/diamond-slots

Playtium

Neon Slots

596317

https://channelstore.roku.com/en-ot/details/0987ae77061e4c36c5a8bc9ee27442a1/neon-slots

Playtium

Valhalla Slots

596199

https://channelstore.roku.com/en-ot/details/58523f61e527a197979c8fb39970ad16/valhalla-slots

Playtium

Mythology Slots

589649

https://channelstore.roku.com/en-ot/details/82cfd24c25b56814193aade6f218d579/mythology-slots

Playtium

Cinema Slots

589446

https://channelstore.roku.com/en-ot/details/0fcd69d7d4792d6899f54e84fc3421be/cinema-slots

Playtium

Mafia Slots

588599

https://channelstore.roku.com/en-ot/details/2323fbf23e90f5a25bfa1130f9337a86/mafia-slots

Playtium

Excavate Slots

588572

https://channelstore.roku.com/en-ot/details/dc38b43a08ce31dc99ad4618ebd4e309/excavate-slots

Playtium

Garden Slots

588430

https://channelstore.roku.com/en-ot/details/f700f8b02e0c0611183562513c5bc400/garden-slots

Playtium

Lucky Slots

582471

https://channelstore.roku.com/en-ot/details/fab6930125c89e6a1a762e36e8b7af74/lucky-slots

Playtium

Ocean Slots

584277

https://channelstore.roku.com/en-ot/details/bed31d53b3b117130c34f83910659bc9/ocean-slots

Playtium

Pirate Slots

580381

https://channelstore.roku.com/en-ot/details/8e50625d8921f6fadc6a110466b98de5/pirate-slots

Playtium

TAGGED: Research & Detection