There’s a familiar axiom that has a special application in cybersecurity: if it seems like it’s too good to be true, it almost certainly is. If there’s a free app that promises to give you a brand new pair of designer shoes just for downloading it...it’s almost certainly not going to actually give you those shoes.
Yet, when a family of apps showed up on the app store offering this exact deal in exchange for a download and some personal details, a total of two billion fraudulent digital advertising slots were fabricated, with 65,000 devices infected. All in just one week.
The offending apps first appeared towards the end of 2019, luring users against their better judgement by dangling the carrot of free shoes, event tickets, and even dental treatments. All people had to do was download the app and fill in some personal information in order to receive these goodies.
Noticing something amiss, the White Ops Satori Threat Intelligence & Research team, who have been safeguarding people against these unsuspecting digital criminals, stepped in the way of this covert Android botnet. Here, we share how the ad fraud botnet (codenamed TERRACOTTA) was detected, and the actions taken against it.
How a piece of malware lurked behind the scenes undetected
Although it's disappointing to learn that a promised pair of shoes were never on their way, the TERRACOTTA malware brings a load of other problems that affect not just the user but the advertising industry. The clever part? The apps only begin to reveal themselves after a 14-day period during which the user is supposed to be waiting for their promised reward, and just when they’ve begun to forget about the entire endeavor.
These apps didn't report themselves as ad-supported to the marketplaces and showed no obvious monetization mechanism to users. Therefore, no reports of users complaining or seeing unwanted apps were made to bring attention to it.
The main application code (APK) is written using the React Native framework, an open-source mobile app framework that simply renders a form for the user to fill in to receive their "goods". No malicious functionality is present at this point, making it difficult to detect the problems in the early stages. However, upon closer inspection, there are hints of maliciousness that would have to be specified in the APK at compile time. Examples of these include permissions that we often observe in continuously running ad fraud malware.
Once loaded onto a device, a customized Android browser packaged alongside a control module begins to generate fraudulent ad impressions, which is then sold into the programmatic advertising ecosystem, fooling advertisers with false numbers.
TERRACOTTA pulled this off by modifying technical parameters that are commonly used to verify which application renders an ad. It also steers clear of using app-ads.txt, which is an industry-wide detection mechanism for ad fraud of this nature. Instead, it misrepresents itself as apps which don't participate in the initiative.
TERRACOTTA also demonstrated one of the rarer forms of deception against bot mitigation: tag evasion. This technique is akin to ad blocking, although instead of blocking the loading of content from ad-serving domains, the malware blocks content loading from ad-verification domains to suppress fraud detection.
The takedown of TERRACOTTA and its impact
The highly uniform browser distribution and presence of outdated Chrome mobile sessions was what led us to identify TERRACOTTA. Because of the 14-day waiting period, users were happy to leave the app installed on their phone despite it not serving any purpose. This coy tactic gave space for the malware to lay low before activating. Furthermore, the activation delay provided an added bonus since it escapes the prying eyes of anti-virus. Unless an app is kept under observation for an extended period of time (which can be costly and therefore avoided if nothing sets off an alarm), it can easily get away.
Working with Google, we identified rotation of different versions of Chrome for Android across several older versions. It discovered that TERRACOTTA was lying about its browser engine, adapting a user agent spoofing strategy to evade detection.
During this process, many of the values in suspected TERRACOTTA traffic were "spoofed," with false values intentionally placed in the technical stack. We identified that a big portion of the TERRACOTTA traffic had a single value found in the "Referer" field of the HTTP GET headers. Based on this knowledge, the team identified the traffic and gained insight into the way the malware was built.
A spokesperson from Google states, "Due to our collaboration with White Ops investigating the TERRACOTTA ad fraud operation, their critical findings helped us connect the case to a previously fond set of mobile apps and to identify additional bad apps. This allowed us to move quickly to protect users, advertisers and the broader ecosystem - when we determine policy violations, we take action."
Taking action for a fraud-free future
With the help of Google's Play Store, all identified TERRACOTTA apps have been removed from the Google Play Store.
But even though this operation has been disrupted, there are still active TERRACOTTA infections that remain, generating invalid ad impressions sold through RTB (Real-time bidding). This is where the ad-tech community can do their part to play a role in putting a stop to this. For app publishers, consider adding app-ads.txt files to new apps to protect existing inventories. Likewise, advertisers should only buy inventory from publishers that are app-ads.txt verified. Such a move pushes the industry as whole to be proactive and take the necessary actions to safeguard their systems.
Apart from that, staying vigilant and consistently educating consumers on how they can identify fraud to fight fraudsters like the TERRACOTTA operators would be a good first step to take.
