Satori reports on Konfety, a fraud campaign that abuses the CaramelAds mobile ad SDK to generate malicious duplicates of popular apps. The campaign yielded numerous indicators of compromise, including 250 evil twin apps on Google Play and hundreds of associated domains and IP addresses. #Konfety #CaramelAds #GooglePlay #Satori #Russia #Bahamas #Netherlands
Keypoints
- Konfety is a fraud campaign that abuses the CaramelAds mobile ad SDK to create malicious duplicates of popular apps.
- At least 250 evil twin apps detected on Google Play.
- Researchers published 23 IoCs: 17 domains and 6 IP addresses; expanded findings include 302 email-connected domains and 326 string-connected domains.
- IoC expansion identified 5 additional IP addresses (2 malicious) and 8 IP-connected domains (1 linked to malware distribution) along with 326 string-connected domains (1 linked to malware distribution).
- Geographic distribution shows the majority of domain IoCs registered in Russia, with some in the Bahamas and the Netherlands.
- Domain IoCs were created between 2017 and 2023, with a peak in 2020.
- Historical WHOIS records revealed 30 email addresses linked to the IoCs and artifacts are downloadable from the researchersβ site.
MITRE Techniques
- [T1203] Malicious Software Installation β Threat actors create malicious duplicates of popular apps to distribute malware. βThreat actors create malicious duplicates of popular apps to distribute malware.β
- [T1483] Domain Generation Algorithms β Use of numerous domain names to evade detection and maintain persistence. βUse of numerous domain names to evade detection and maintain persistence.β
- [T1003] Credential Dumping β Potential use of compromised email addresses to access additional domains. βPotential use of compromised email addresses to access additional domains.β
Indicators of Compromise
- [Domain] IoCs β 17 domains identified; examples: not disclosed in article
- [IP] IoCs β 6 IP addresses identified; examples: not disclosed in article
- [Email] IoCs β 30 email addresses connected to IoCs; examples: not disclosed
- [DNS/Domain-related] IoCs β 302 email-connected domains and 326 string-connected domains; examples: not disclosed
Read more: https://circleid.com/posts/20240906-inspecting-konfetys-evil-twin-apps-through-the-dns-lens