Researchers: Louisa Abel, Nico Agnese, Maor Elizen, Lindsay Kaye, João Marques, Vikas Parthasarathy, João Santos, Adam Sell

IVT Taxonomy: Manipulated Behavior

HUMAN’s Satori Threat Intelligence and Research Team has uncovered and disrupted an operation dubbed IconAds. This scheme centered on a collection of 352 apps which load out-of-context ads on a user’s screen and hide the app icons, making it difficult for a user to identify the culprit app and remove it. At its peak, IconAds accounted for 1.2 billion bid requests a day.

IconAds is an expansion and evolution of an operation that Satori researchers have been monitoring and defending against since 2023. That earlier operation has been disclosed by other organizations, but several key tactics—and recent adaptations—in the attack have not previously been described. IconAds-associated traffic appeared worldwide, with the largest percentages of traffic deriving from Brazil, Mexico, and the United States.

Global distribution of IconAds-associated traffic

Google removed all of the apps identified in the report from Google Play. Users are automatically protected by Google Play Protect, which is on by default and can warn users or block apps known to exhibit malicious behavior on Android devices with Google Play Services. Customers partnering with HUMAN for Ad Fraud Defense are protected from the impact of IconAds.

Technical Analysis

Researchers analyzed apps associated with multiple variations of the IconAds threat. During our analysis, we identified commonalities in the apps’ code, network communications, behaviors, and other tactics, techniques, and procedures (TTPs) that allowed us to link together multiple adaptations of IconAds.

Behind The Threat: How IconAds Hides Its Activity and Itself

Researchers identified three commonalities within IconAds apps: 

Layered Obfuscation Tactics

Satori researchers observed several types of obfuscation in IconAds applications across Java and native code. IconAds’ primary obfuscation technique uses seemingly random English words to hide certain values—such as model, OS version, and language—during network communications. Additionally, this same obfuscation tactic was used in the URL path and the random words changed from app to app.

Traffic captures from multiple IconAds applications

The threat actors behind IconAds layered obfuscation tactics to increase the challenge of reverse engineering and automated detection of its apps. The Java method names are obfuscated with long names with zeros and O’s, while the strings are encrypted byte arrays which are decrypted by an O-MVLL obfuscated native library. (Later IconAds adaptations encrypted even more of the malicious code.)

Obfuscated representation of hxxps://beye[.]poshoverwatch[.]com

Native library and decryption method

O-MVLL obfuscated library

Command-and-Control (C2) Communications

Researchers observed that each IconAds-associated app had a corresponding, unique C2 domain. The message format of the C2 communications is the same from app to app. For example, C2 network traffic from enden.finder.mange.file.ine was extremely similar to that of com.photofiledetect.comp

Researchers observed communications to C2 domains wag[.]hiddenfinders[.]com and airway[.]hiddenfinders[.]com. airway[.]hiddenfinders[.]com serves similar purpose to windmill[.]photofiledetect[.]com of POST requests of JSON data using randomly named keys and what appears to be device data as the values:

This meant that the threat actors were buying and setting up a unique domain for each app they pushed to the Play Store, providing the threat actors with additional obfuscation of their apps and their infrastructure. 

The C2 domains generally shared the following syntax, which is generic enough not to be a viable research angle in and of itself:

General signature for an IconAds C2 domain, which generally includes three subdomains, one of which has the “-test” suffix

These domains consistently resolve to a specific CNAME and return a specific message; this means that while the domains were different, they very likely shared the same back-end infrastructure or second-level C2. These and other unique parameters allowed Satori researchers to find more of these domains and associate them back to IconAds.

Matches using a combination of signatures for IconAds C2 infrastructure

Malicious Activity-Alias

Finally, IconAds’ code declares a malicious MAIN/LAUNCHER activity-alias that replaces the default one by using setComponentEnabledSetting from the PackageManager class. This method allows the developers to disable/enable components (activity, receiver, service, provider) from the application overriding any enabled state which may have been set by the component in its manifest. This means that when the app is installed, the default label name and icon will be displayed, but as soon as the app runs, the activity-alias declared on the manifest will be active and persist even after relaunching the app or rebooting the device.

Usage of ComponentName to enable the activity-alias and to disable the default activity

As seen below, the android:label is an empty string while the icon is a transparent rectangle, resulting in a white space.

Manifest with activity-alias that will replace the default MAIN/LAUNCHER activity

Hidden application

How IconAds Shows Out-of-Context Ads

Using com.works.amazing.colour—the app shared by another organization on X—as an example, researchers captured unusual behavior and out-of-context ads. After installation, the app replaces its icon with a white circle, the app’s name is empty, and when a user clicks on the icon, nothing appears to happen. Within a few moments, interstitial ads loaded regardless of what application is active.

Ads loaded out of context

The new activity-alias (described above) has an android:label and an android:icon that replace the “correct” ones, an android:name that is a fully qualified class name that is used by the ComponentName to be programmatically enabled, and an android:targetActivity that is the class name that contains the code.

Manifest declaration of the activity-alias and corresponding icon

The code of the com.exw.poeja target activity simply has an onTouchEvent with a finish method call to end its execution immediately.

activity-alias targetActivity class

The setComponentEnabledSetting receives the android:name that represents the activity component to be changed and values 1 or 2 represent the android:enabled new state value that replaces the one in the Manifest. For the activity-alias, value 1 will enable the activity while value 2 will disable the initial MAIN/LAUNCHER activity.

Usage of setComponentEnabledSetting to enable the new activity

The encrypted strings are decrypted using a native method located in lib98e3orv.so, an O-MVLL obfuscated native library which required dynamic instrumentalization to obtain the decrypted strings including the C2 beye[.]poshoverwatch[.]com.

During the IconAds investigation, an infected app called com.color.wallpaper.library.hd.beauty was identified with a slight implementation difference. The code responsible for the icon change and the load of ads was stored in an encrypted dex located in assets/wallpaper_list.dat that, when decrypted, resulted in a DEX file called BBA86F92CBFF64B9AA644E57A5B976AE.dat. This DEX file is later dynamically loaded and uses the class com.sharp.vdx.VdxAction as its entry point. 

This application, instead of having a white icon, uses a variation of the Google Play Store’s own icon and name. When opened, it automatically redirects into the official app while working in the background.

IconAds-associated app mimicking the app icon for Google’s Play Store

IconAds Evolution

In October 2023, a new set of applications was identified as associated with IconAds, but only com.photofiledetect.comp and enden.finder.mange.file.ine were published to the Google Play Store at the time.

In these apps, the team noticed adaptations in the way they obfuscate their static code and also in how they attempted to cloak their behavior during dynamic analysis. 

While apps associated with IconAds each employ multiple obfuscation techniques, the most recent wave of malicious apps features greater variation in techniques than in past waves of this threat. 

Researchers observed the following techniques in recent IconAds-associated apps:

From a dynamic analysis perspective, the primary new addition to the IconAds threat is the ability to check if the application was installed from the Play Store. Apps make this check by validating the cryptographic signature of themselves. To achieve this, IconAds uses a 3rd party library PairIP. If an application does not contain a valid Google Play Store signature, it will then exit and not reach out to the C2 server for orders.

Implementation of license check on IconAds apps

In addition to this license check, the actors also added an extra layer of obfuscation during dynamic testing. IconAds-associated applications will use third party services and leverage their platforms’ DeepLinking services to decide whether or not to trigger the malicious flows of the application.

Implementation of the conversion flow by IconAds

Conversion requests

This technique has been observed in other operations in the past. (Note: the Human Defense Platform protects customers against the technique/operation described in the linked Zimperium report.)

Many IconAds-associated apps have short shelf lives before being removed from the Play Store. The chart below shows several IconAds-associated apps and their listing/delisting dates:

Conclusion: HUMAN Protects Customers from Sophisticated Threats

Customers partnering with HUMAN for Ad Fraud Defense are and have been protected from the impact of IconAds. With the several evolutions of this threat, researchers expect continued adaptation, with new apps published and new obfuscation techniques added. Satori researchers will continue to monitor the threat actors for new adaptations and new apps associated with IconAds.

In addition, we recommend the following focused actions for ecosystem participants:

Guidance for DSPs (Demand Side Platforms)

Guidance for SSPs (Supply Side Platforms)

Guidance for Publishers

The IconAds operation underscores the increasing sophistication of mobile ad fraud schemes. Ongoing collaboration across the digital advertising ecosystem is essential to disrupting these and future fraud operations.

Acknowledgements

The IconAds story builds on the work of several other cybersecurity researchers, including:

The work of these researchers has been instrumental in expanding the public’s knowledge of elements of this threat, and the Satori team is grateful to them for their research.

IOCs

IconAds Apps First Disclosed by Satori (CSV, HTML)

IconAds Apps Previously Disclosed by Other Researchers (CSV, HTML)