Ad fraud malware infects 4.6M Android devices

A new threat has been uncovered, infecting over 4.6 million Android devices with ad fraud malware embedded in Google Play apps

The threat intelligence team at WhiteOps recently discovered Soraka, a malicious code package infecting over 100 apps on the Google Play store with more than 4.6 million downloads.

Soraka, and a related variant named Soko use a framework known as AppsFlyer to deliver out-of-context (OOC) advertisements while circumventing detection tools.

After an infected application is installed, Soraka code removes the device protections against fraud activity while the phone screen is off. Fraudsters can then deliver fraudulent advertisements, dynamically registering broadcast listeners for user activities to monitor the state of the device.

However, the ad fraud is only perpetrated when a customer follows a promotional push – clicking on an invitation or promotion after the app is installed. This helps Soraka to avoid detection by automated systems that may be on the device that check for threats upon installation.

Soraka also appears to analyze user behavior on the device, delivering different ads at a different frequency depending on the actions of users. It uses ad serving platform controls for a granular, individual-level control of ad delivery.

Before a fraudulent ad is delivered, Soraka will check filters including Screen On, TopActivity, Daily Count Limit, and Trigger Time Interval. This ensures that ad rendering is spaced out and subject to a daily maximum to better evade detection. The malicious code also includes Cyrillic characters, from the Udmurt dialect used in the Volga region, which may have been used to make Soraka more difficult to identify.

Soraka / Sogo have been found in apps ranging from ‘Cute Love Test’ to ‘Sleep Assistant’, as well as file manager and photo editor apps. In their blog post illustrating the threat, WhiteOps used the ‘Best Fortune Explorer’ app to demonstrate how Soraka works to compromise an infected device. The blog also includes a full list of infected applications, which are recommended for immediate removal from Android devices.

As of today, ‘Best Fortune Explorer’ is still available for download on the Google Play Store.