As many as 75 apps on Google Play and 10 on Apple App Store have been discovered engaging in ad fraud as part of an ongoing campaign that commenced in 2019.
The latest iteration, dubbed Scylla by Online fraud-prevention firm HUMAN Security, follows similar attack waves in August 2019 and late 2020 that go by the codename Poseidon and Charybdis, respectively.
Prior to their removal from the app storefronts, the apps had been collectively installed more than 13 million times.
The original Poseidon operation comprised over 40 Android apps that were designed to display ads out of context or hidden from the view of the device user.
Charybdis, on the other hand, was an improvement over the former by making use of code obfuscation tactics to target advertising platforms.
Scylla presents the latest adaption of the scheme in that it expands beyond Android to make a foray into the iOS ecosystem for the first time, alongside relying on additional layers of code roundabout using the Allatori tool.
These apps, once installed, are engineered to commit different kinds of ad fraud, marking a significant step up in sophistication from previous variants.
These include spoofing popular apps such as streaming services to trick advertising SDKs into placing ads, serving out-of-context and “hidden” ads via off-screen WebViews, and generating fraudulent ad clicks to profit off ads.
“In layman’s terms, the threat actors code their apps to pretend to be other apps for advertising purposes, often because the app they’re pretending to be is worth more to an advertiser than the app would be by itself,” the company said.
As always, users are advised to scrutinize apps prior to downloading them, and avoid third-party app stores on the web that could harbor malicious applications.