The threat actors behind a newly discovered malicious adware operation have been active since at least 2019, but researchers tracking their evolution report that the group has become more sophisticated, expanding beyond its previous Android-specific attacks in the iOS ecosystem.
The latest campaign, according to researchers from Human Security’s Satori Research Team, included 80 hidden Android apps in the Google Play Store and, notably, 9 in the Apple App Store. In total, the team reported that the malicious apps had been downloaded at least 13 million times.
Once downloaded, rogue apps spoof other apps to accumulate digital ad views, deliver hidden ads that the user couldn’t see to gain fraudulent views, and even track legitimate ad clicks to fine-tune the group’s ability to simulate them more convincingly later.
The research team, which flagged the apps for removal from official stores, calls this latest iteration the Scylla attack group. The first version of the group was called Poseidon, then Charybdis. Scylla is the third wave of attacks threat actors, the human team explained in its report.
“Today’s announcement of the disruption of Scylla – named after Poseidon’s granddaughter – reflects a further evolution of the threat actors behind the scheme,” the human team said of the discovery. . “While the operations of Poseidon and Charybdis were entirely focused on Android apps, the Satori team found evidence that Scylla also targets iOS apps and extended the attack to other parts of the advertising ecosystem. digital.”
Human Security worked with Google and Apple to remove the malicious apps and continues to work with adware SDK developers to mitigate fallout from the campaign.
“These tactics, combined with the obfuscation techniques first seen in Operation Charybdis, demonstrate the heightened sophistication of the threat actors behind Scylla,” the human team added. “It’s a In progress attack, and users should review the list of apps in the report and consider removing them from all devices.”