[ad_1]
Image: White Ops, ZDNet
special feature
Securing your mobile business
Mobile devices continue their march to become powerful productivity machines. But they are also significant security risks if not managed properly. We analyze the latest insights and best practices to protect the mobile workforce.
read more
Google has removed an undisclosed number of Android apps from the official Google Play store that the company claims were part of an ad fraud botnet.
Named Terracotta, this botnet was discovered by Satori’s mobile security team at White Ops, a security company specializing in identifying bot behavior.
White Ops researchers said they have been tracking Terracotta since late 2019, when the botnet appears to have been activated.
Install a malicious app for a free product
According to the researchers, Terracotta operated by uploading applications to the Google Play Store that promised users free benefits if they installed the applications on their devices.
The apps typically offered shoes, sneakers, boots, and sometimes tickets, coupons, and expensive dental treatments. Users were asked to install the app and then wait two weeks to receive the free products, during which time they had to leave the app installed on their smartphone.
However, the apps downloaded and ran a modified version of WebView, a stripped down version of Google Chrome. The Terracotta gang released the modified WebView browser, hidden from view, and carried out ad fraud by loading ads and earning revenue from fake ad impressions.
The White Ops team described Terracotta as complex and massive. It was complex because it used advanced techniques to avoid detection by defrauded ad networks, and it was massive because of the scale at which it operated.
For example, White Ops said that in the last week of June alone, the Terracotta botnet quietly loaded more than two billion ads inside 65,000 infected smartphones alone.
Some Terracotta applications have been removed from Google Play
Currently, after the intervention of Google, the presence of the botnet in the Play Store was reduced, but it was not completely removed, and some devices still appear to be infected.
Bid request volumes as a result of the Play Store app
Image: White Ops
Some users might think that because Terracotta malicious apps were defrauding ad networks and not users directly, this botnet might not be a problem for them, but, on infected devices, malicious apps would often drain batteries. and they would consume mobile bandwidth traffic due to the fact that malicious applications run around the clock.
Unfortunately, White Ops has not released a list of Terracotta-infected apps. However, the good news is that when Google removes malicious apps from the Play Store, the company also disables malicious apps on all users’ devices, stopping their malicious behavior.
“Due to our collaboration with White Ops investigating TERRACOTTA’s ad fraud operation, their critical findings helped us connect the case with a previously found set of mobile apps and identify additional bad apps. This allowed us to act quickly to protect users, advertisers and the ecosystem in general; when we determine policy violations, we take action“said a Google spokesperson.
For security researchers, Android application developers, and software engineers, White Ops has released a detailed whitepaper detailing the inner workings of Terracotta.
