HUMAN Discovers Konfety Ad Fraud Operation Wielding Novel ‘Evil Twin’ Evasion Method

Sophisticated cybercriminal operations represent a new form of fraud and obfuscation, enabling threat actors to own and operate malicious versions of over 250 Google Play apps and drive as many as 10 billion bid requests per day by representing fraudulent traffic as legitimate.


NEW YORK, July 16, 2024 (GLOBE NEWSWIRE) -- HUMAN Security, Inc., the global cybersecurity leader in disrupting bot attacks and preventing digital fraud and abuse, today announced it has uncovered an advanced mobile advertising fraud campaign that uses a new “evil twin” evasion method to operate under the radar. The operation, which HUMAN has dubbed Konfety, operates two apps sharing the same ID. One is an “evil twin” version that is distributed via malvertising and malicious downloads and performs ad fraud. The other is a “decoy twin” version available on major marketplaces, with more than 250 decoy applications available on the Google Play Store. HUMAN’s Satori Threat Intelligence and Research Team has determined that, at its peak, Konfety-related programmatic bids reached 10 billion requests per day.

The Konfety operation implements this "evil twin" method to conduct fraud by abusing an advertising software development kit (SDK) from Russia-based ad network CaramelAds. Though not inherently malicious, the SDK was exploited by threat actors to request and render ads, sideload additional Android Package Files (APKs), and communicate with command-and-control (C2) servers. Decoy apps on the Play Store purport to be owned by different developers but are mostly template-based apps owned by the Konfety threat actor group.

The CaramelAds code offers basic functionality to render banner ads and interstitials and a straightforward analytics interface to measure ad performance. The SDK can, however, be abused by developers to make it appear as though the traffic originates from any type of device they choose, enabling this device to navigate to malicious URLs , use hard-coded malicious URLs, and more. The decoy apps had an average of only 10,000 downloads each, and did not generate ads, prompting HUMAN researchers to investigate how the high volume of ad traffic was being generated; this resulted in the team uncovering the “evil twin” model in which the malicious twins were the ones generating ads using the identifiers of the decoy apps.

“Konfety’s operations depict the latest in a series of adaptations from ad fraudsters to cloak their activities using novel tactics that enable them to evade detection,” said Lindsay Kaye, Vice President of Threat Intelligence at HUMAN. “The Satori team’s investigation shows how threat actors are getting around the risk of hosting malicious apps on app stores by finding new and innovative ways to fly under the radar and commit long-term fraud.”

All customers partnering with HUMAN for pre-bid mitigation and post-bid detection are safeguarded from the impacts of Konfety. Fraud in the digital advertising supply chain harms inventory and the entire digital ecosystem. This leaves ad tech platforms with reduced inventory value and damaged reputations with demand partners. HUMAN’s Ad Fraud Defense ensures that only verified human inventory is allowed into the bidding process—without affecting platform speed and regardless of channel.

The HUMAN Satori team has provided detection and signaturing insight to external partners and developed signatures for Konfety techniques to track any additional apps in openly available repositories. HUMAN continues to monitor the Konfety threat, including how the threat actor adapts to defenses and keeps those defenses updated to combat the latest TTPs the threat actor employs.

To learn more about the Konfety investigation, visit the HUMAN blog and read the full technical report.

About HUMAN
HUMAN is a cybersecurity company that protects organizations by disrupting bot attacks, digital fraud and abuse. We leverage modern defense to disrupt the economics of cybercrime by increasing the cost to cybercriminals while simultaneously reducing the cost of collective defense. Today we verify the humanity of more than 20 trillion digital interactions per week across advertising, marketing, e-commerce, government, education and enterprise security, putting us in a position to win against cybercriminals. Protect your digital business with HUMAN. To Know Who’s Real, visit www.humansecurity.com.

Contact information:
Masha Krylova, Director of Communications
masha.krylova@humansecurity.com

A photo accompanying this announcement is available at https://www.globenewswire.com/NewsRoom/AttachmentNg/eb7ced93-a635-4a3e-a42d-5aa8063837d8


Konfety press release image