Fraud isn’t always what it appears to be.
HUMAN’s Satori researchers recently uncovered and disrupted IconAds, a massive fraud operation involving hundreds of deceptive mobile apps that hide their presence and deliver unwanted ads. Researchers have been monitoring this operation for years, helping to develop protections against the scheme’s impact and tracking adaptations from the threat actors.
Sophisticated operations such as IconAds highlight the evolving tactics of threat actors. Satori researchers are uniquely qualified to uncover adaptations in schemes like this, as evidenced in the recent BADBOX/BADBOX 2.0, Poseidon/Charybdis/Scylla, and Scallywag operations.
IconAds, in Brief
IconAds is a collection of 352 apps that commit ad fraud by rendering full-screen out-of-context ads and hiding or replacing their icons to make it harder for users to remove them. At peak, IconAds accounted for 1.2 billion fraudulent bid requests a day.
As with several recent Satori investigations, IconAds is an evolution of an earlier scheme called “HiddenAds,” which researchers have been tracking since 2023. The initial iteration of this threat registered in the tens of millions of bid requests per day.
For the latest operation, IconAds changed its tactics, which is how the number of bid requests climbed significantly higher.
Satori researchers observed several types of layered obfuscation in IconAds applications, both in Java and native code. IconAds’ primary technique employs command-and-control (C2) communications using seemingly random English words to conceal specific values—such as model, OS version, and language—during network communications. Additionally, this same obfuscation tactic was used in the URL path, and the random words changed from app to app. The threat actors used malicious activity aliases to hide their activity and the app itself.
Defending Against a Moving Target
IconAds proves once again that there is immense value in taking a proactive approach to defending against cyber threats.
Thanks to the work of Satori researchers, IconAds apps have been removed from the Google Play Store, and HUMAN helps customers protect themselves from this operation. Researchers will also continue to monitor the operation to ensure resilience against new variants and apps. As the saying goes, once you stop one type of cyber scheme, another one emerges to take its place.
However, not just any platform can stop these threats. Proactive defense is a skill that requires continuous training. Satori researchers reverse engineer schemes like IconAds and examine signals from the Human Defense Platform to identify more fraud than other research organizations. IconAds has a total of 352 apps, but this number includes disclosures from other researchers. Satori’s 121 newly disclosed apps are the largest disclosure of fraudulent apps as the security research community continues to combat these threat actors.
What’s Next for IconAds
Threat actors will continue to mess with the internet by refining their tactics each time they are caught.
Even while writing the IconAds technical report, Satori researchers uncovered and reverse-engineered new waves of apps associated with the threat. While these apps often have a short shelf life before they’re removed from Google’s Play Store, the continued new releases demonstrate the threat actors’ commitment to further adaptation and evolution. Satori’s demonstrated skill in identifying and exposing threat actor adaptation will be invaluable as the IconAds threat—and others that follow it—continues to evolve.