Google, Apple Remove ‘Scylla’ Mobile Ad Fraud Apps After 13 Million Downloads

Cybersecurity company Human detected and prevented a mobile ads scam campaign involving 89 mobile applications with a total downloads of 13 million.

Dubbed Scylla, the campaign is the third adaptation of Poseidon, a scam operation first identified in 2019. Charybdis, the second iteration of the campaign, was observed in 2020.

As part of the new ongoing attack, Human identified a total of 80 Android and 9 iOS applications involved in ad fraud through app spoofing, hidden ads and fake clicks.

The applications contained obfuscated code similar to Charybdis and, like this attack adaptation, software development kits (SDKs) for targeted advertising, Human explains.

Some of the Scylla apps contained code to impersonate other, entirely different applications to advertisers and ad tech companies. Human identified 29 Android apps that pretended to be over 6,000 CTV-based applications to generate higher ad revenue compared to mobile games.

Other apps contained code that informed advertisers that they were showing the user ads when they weren’t. The code would render ads when the apps were closed, such as when the device was on the home screen, the researchers say.

Finally, some of the applications would register the information about the user’s actual clicks on ads and then send it to advertisers as a fake click.

“These tactics, combined with the obfuscation techniques first observed in Operation Charybdis, demonstrate the increasing sophistication of the threat actors behind Scylla,” notes Human.

The security researchers also underscore the fact that Scylla is the first iteration of the campaign in which the attackers have expanded their operation to iOS.

Both Google and Apple have been notified of the findings and the identified applications have been removed from the Google Play Store and the Apple App Store. The developers of advertising SDKs were also informed about the attack.

Human has published a list of Scylla applications and advises users to review this list and consider removing all applications from all devices.

See Also: US Recovers $15M From Ad Fraud Group

Also see: Ad fraud operation responsible for a large amount of Connected TV traffic

See also: Facebook sues Chinese company over ad fraud

Show counters

Ionut Arhire is international correspondent for SecurityWeek.

Previous columns by Ionut Arhire: