Research by: Avigayil Mechtinger, Andrey Polkovnichenko and Bogdan Melnykov
Checkpoint’s researchers, with the help of Craig Silverman at BuzzFeed, have uncovered a series of applications conducting fraudulent activities against Ad Agencies. Craig Silverman reached out to Check Point with the leads for the applications as a part of his story. The malware found from those leads, dubbed ‘PreAMo’, imitates the user by clicking on banners retrieved from three ad agencies – Presage, Admob, and Mopub.
In total, the malware was downloaded over 90 million times across 6 applications. Google was notified and removed the infected applications from Google Play.
Fig 1: RAM Master Google Play Information
‘PreAMo’ is built from three distinctive parts of code, each dealing with another ad agency. They are not connected in terms of code as each is located in a separate package and have different triggers. What unifies these three code parts is the communication with the same C&C server (res.mnexuscdn[.]com), which is used to send statistics and receive configuration. Furthermore, the behavior of these parts is very similar; they register a listener on a banner being loaded by the ad network, and once the banner is loaded, ‘PreAMo’ uses the functionality of Android’s framework class ‘MotionEvent’ to imitate a click.
However, due to the difference in implementation by the ad libraries, the actor behind ‘PreAMo’ used different approaches dealing with every ad agency. This paper will describe the approach taken by the actor with each ad agency.
1. Ad Agency #1 – Admob:
‘PreAMo’ registers in the manifest a provider named ‘com.google.android.gms.ads.internal.tools.ConfigProvider’, with the sole purpose of initializing its own class ‘AdMobFixer’ at the start of the host application.
This class registers a dynamic receiver with a timer to periodically check for configuration updates from the C&C server.
Fig 2: The registration of the receiver
‘PreAMo’ uses two different methods to detect if an ad banner is being displayed: the first uses reflection to interrupt into the internal structures and install a callback, while the second is based on activity lifecycle callbacks.
Fig 3: Detection method #1
Fig 4: Detection method #2
Android notifies this listener each time when a new activity is created inside the application. ‘PreAMo’ recursively searches for the specific Ad View, starting from the top-level window (Décor)
Fig 5: Implementation of the OnAdActiviy
After successful detection of a banner, ‘PreAMo’ checks a set of conditions:
- Is the user ‘organic’. This flag is the part of the ‘com.DianXinOS’ library and set depending on intent received by the listener of the ‘INSTALL_REFERRER’ If the content contains the word ‘organic’, meaning the application was installed after a search in Google Play, the value is set to True, Otherwise set to False. The Autoclicking will only work if the value is False. However, in some versions of ‘PreAMo’ this value can be received from the C&C server.
- User didn’t click on the ad banner yet.
- Clicking Interval and a daily maximum of clicks are lower than the predefined limit.
- Check for a random value.
If all of conditions are met, ‘PreAMo’ imitates a click on the banner. To achieve this goal, the malware reads predefined coordinate points from the file ‘assets/xdd’, and in some cases, depending on the size of the banner, ‘PreAMo’ can use randomly generated coordinates.
Fig 6: Condition checks performed by ‘PreAMo’
Fig 7: reading predetermined coordinates from ‘xdd’
Fig 8: Using randomly generated coordinates
Ad Agency #2 – Presage:
The execution of this code part is originated from the ‘com.DianXinOS.OService’ class. In a method calls ‘onStartCommand’ ‘PreAMo’ starts a new thread which periodically showing interstitial ads from Presage (ogury) library.
Inside this thread, the malware communicate with the C&C server, and load the configuration from the URL ‘hxxps://res.mnexuscdn[.]com/dp/0845e0150308bcdf5ef03ba8295075f9’.
Fig 9: Thread Creation
Fig 10: Ad strategy (configuration)
‘PreAMo’ receives the configuration and checks period between ads (min_i_sec_limit) and maximum daily ads (max_p_ad). After a successful verification, ‘PreAMo’ shows activity with ads from the Presage library.
Fig 11: checking ad configuration
Fig 12: Interstitial Ads
In addition to showing ads from Presage, ‘PreAMo’ register its own activity manager for the host application, re-implementing the following methods (Figure 13) and replacing the default Presage web client to make it possible to click banners using randomly generated coordinates (Figure 14).
Fig 13: Re-implemented methods from Presage
Fig 14: Randomly generated coordinates
Ad Agency #3 – Mopub:
When ‘PreAMo’ deals with Mopub, the initialization part is located in the content provider. This provider is present in the class ‘com.android.stats.tools.InitProvider’, and on the start of the host application, inside the method ‘OnCreate’, it executes its code and setting up the configuration for a timer.
The timer periodically sends requests to a set of URLs, checking configuration updates:
Similar to the previous parts, the configuration includes various delays and conditions related to the clicking algorithm. Additionally, it contains parameters targeted to the fake host application. Due to the fact that Mopub library is open-source, the actor behind ‘ProAMo’ was able to inject their code, mixing it with the library’s original code. For instance, the usage of fake package information in the method ‘com.mopub.common.AdUrlGenerator’.
Fig 15: Fake package information
Fig 16: Faking host information
Fig 17: Implementation of MraidController
Originally, the implementation of the onOpen called class URLHandler, processing the URL corresponding to its scheme. The actor behind ‘PreAMo’ made its own changes into the process. Now, if the URL’s processed correctly, and it’s an HTML page, a click imitation will occur.
Fig 18: Clicking Imitation #1
The same thing was done with HTMLWebViewClient. It contains the method ‘shouldOverrideUrlLoading’, giving the host application a chance to take control when a URL is about to be loaded in the current WebView. Originally Mopub had used it to check how to process the URL being loaded to the Webview, but malware developer injected its own code, performing a click on the page being loaded.
Fig 19: Click imitation #2
The C&C Server:
The C&C ‘res.mnexuscdn.com’ is registered via anonymous service, first seen at 12.12.18 according to passive total’s RiskIQ.
Fig 20: WhoIS data from RiskIQ
In a world where ad revenue can produce a very high income, it’s not surprising why malicious actors are after fraudulent activities against ad agencies. “Follow the money” is a good rule of thumb while investigating a malicious campaign.
The research on how to deal with every ad agency, different code segments and a logging activity show us the amount of effort this actor has invested in this operation. With applications reaching 50,000,000+ downloads, we can only speculate the amount of money generated by this fraudulent activity.
How can you protect yourself:
With a few simple steps, you can also protect your device from malicious activities:
- Install application from an official market, such as Google Play.
- Always check the rating, comments, and download count of an application before installing.
- Install a security solution from a well-known vendor.
- Don’t connect to networks that you don’t fully trust.
- Always check links before clicking or sending personal information.
Receive configuration for AdMob clicks:
Receive configuration for Mopub clicks:
Receive configuration for presage/ogury clicks:
Appendix 1 – Application List:
||Estimated downloads from Google Play