Newsroom

HUMAN Discovers and Disrupts Ad Fraud Scheme Impacting 89 Apps with More Than 13 Million Downloads from Google Play and Apple App Stores

By HUMAN

Modern defense strategy enables disruption of sophisticated ad fraud operation, part of an ongoing attack with new adaptations designed to target codes and spoofing

NEW YORK — (Sept. 23, 2022) — HUMAN Security, Inc. (formerly White Ops), the global leader in safeguarding enterprises from digital attacks with modern defense, today announced the discovery and disruption of a highly sophisticated fraud operation targeting advertising software development kits (SDKs) within 9 apps on the Apple App Store and 80 Android apps on the Google Play Store, which collectively have been downloaded more than 13 million times. The attack, nicknamed Scylla, is an adaptation of a fraud scheme first observed and disrupted by HUMAN’s Satori Threat Intelligence and Research Team in 2019. While the attack is ongoing and actively being monitored by the Satori team, HUMAN has collaborated with Apple, Google and others to take down the fraudulent apps from their respective app stores. 

“Our number one goal is to protect our customers and the digital ecosystem from cybercriminals such as those behind these attacks. The only way we can do this is with modern defense where we can work together across the industry on disruptions like Scylla,” said HUMAN Co-Founder and CEO Tamer Hassan. “We will continue to remain vigilant for other similar attacks  and harness the work of collective protection—where an attack on one is a protection event for all—disrupting the economics of cybercrime. That’s the only way we win. ”

Scylla is the third wave of an operation HUMAN first uncovered in 2019, in which a collection of 40+ Android apps openly committed multiple types of ad fraud. That scheme, nicknamed Poseidon after elements of the code within the apps, was disrupted by the Satori team’s reverse engineering efforts, resulting in Google removing the apps from its Play Store. A 2020 adaptation of the scheme, nicknamed Charybdis after the daughter of Poseidon, incorporated additional code obfuscation and SDK targeting techniques. 

Today’s announcement of the disruption of Scylla—named after the granddaughter of Poseidon—reflects a new evolution from the threat actors behind the scheme. While the Poseidon and Charybdis operations centered wholly on Android apps, the Satori team has found evidence that Scylla additionally targets iOS apps and has expanded the attack to other parts of the digital advertising ecosystem.

HUMAN’s Satori team worked closely with the Google Play Store and Apple App Store to ensure all of the apps identified as being associated with the Scylla operation have been removed from public access. HUMAN also closely collaborated with impacted advertising SDK developers to mitigate the impact of the operation to their processes and their advertising partners. Customers of HUMAN’s MediaGuard solution are protected from fraud associated with Scylla and with its predecessors.

Apps within the Scylla operation committed fraud through a variety of tactics, including:

    • App spoofing, in which the Scylla apps pretended to be other apps for the purpose of digital advertising,
  • Hidden ads, in which the apps would render advertisements in places a user couldn’t actually see them, and
  • Fake clicks, in which the apps would keep track of real clicks on advertisements in order to fake additional clicks later.

These tactics, combined with the obfuscation techniques first observed in the Charybdis operation, demonstrate the increased sophistication of the threat actors behind Scylla. This is an ongoing attack, and users should consult the list of apps in the report and consider removing them from all devices. As this attack has evolved multiple times already, the Satori team has withheld certain details about the operation in order to better track and report on further adaptation.

HUMAN verifies the humanity of more than 15 trillion digital interactions per week, offering enterprises a platform with unmatched visibility into fraudulent activity across the Internet. HUMAN achieves this scale through its continued expansion in cybersecurity, including its recent merger with PerimeterX, now offering a suite of products to protect the complete digital customer journey. With new partners and enterprises now able to leverage the Human Defense Platform, comes an even deeper understanding of the cybercrime landscape, enabling HUMAN to adapt continuously, staying ahead of adversaries with modern defense (leveraging internet visibility, network effect, and disruptions), and safeguarding clients with collective protection against threat models they have yet to encounter.

The Satori team used numerous tools to identify Scylla and its operators, whose information has been shared with law enforcement. To learn more about the Scylla operation, visit the HUMAN blog.  

###

About HUMAN
HUMAN is a cybersecurity company that safeguards 500+ customers from digital attacks including sophisticated bots, fraud and account abuse. We leverage modern defense—internet visibility, network effect, and disruptions—to enable our customers to increase ROI and trust while decreasing end-user friction, data contamination, and cybersecurity exposure.Today we verify the humanity of more than 15 trillion interactions per week across advertising, marketing, e-commerce, government, education and enterprise security, putting us in a position to win against cybercriminals. Protect your digital business with HUMAN. To Know Who’s Real, visit www.humansecurity.com