Giveaway Scam Infects 65,000 Devices with Malware

A family of Android apps is using the lure of free items to distribute a novel ad fraud botnet.

Victims of the scam are told that they will receive a complimentary gift when they download an app from the Google Play Store. However, the only thing received by victims is an infection of malware that silently loads ads in the background on their smart device.

The ad fraud operation, discovered by White Ops’ Satori Threat Intelligence & Research team, which named it TERRACOTTA, started in late 2019. The team found that by the end of June 2020, more than 65,000 devices had been unwitting participants in the scam, over 5,000 apps had been spoofed, and more than 2 billion bid requests had been generated.

“What makes this unique is that the fraudsters were advanced in knowing how to pull off ad fraud verification plausibly,” said a White Ops spokesperson.

“This means the ads were never being reported via the Google Play Store for showing ads, nor were users complaining of seeing unwanted ads. Instead, they were lying dormant, and the only ‘free product’ being delivered to users was a payload of ad fraud malware.”

Among the free gifts used as lures were boots, sneakers, event tickets, coupons, and expensive dental treatments. The real item that victims received was a customized Android browser packaged alongside a control module written in the React Native development framework.

When loaded onto the victim’s phone, the browser generates fraudulent ad impressions, sold into the programmatic advertising ecosystem to defraud advertisers.

Google Play Store reviews for the apps started out at five stars as victims applauded the giveaway idea. However, disappointed victims who didn’t receive the promised freebies soon took to the review section to express their disappointment and share their suspicions that the app they had downloaded was malicious.

One victim’s review read: “Terrible. I received confirmation of my free Nike Air Jordans but never received any delivery, tracking number or anything. Possibly a fraudulent site, do not give personal information.”