Researchers Discovered 'Scylla' Adware Campaign That Infects Android And iOS Apps

Scylla malware campaign

Yet again another malware campaign is found.

More than often, hackers use malware to infect apps, in order to gain backdoor access to users' devices. The method is among the oldest trick in the book. But because it's extremely effective and rarely fails to succeed, the trick never grows old.

And this time, a malware campaign dubbed the 'Scylla' has been found by researchers at HUMAN’s Satori Threat Intelligence & Research team.

According to them in a report, 75+ Android apps and 10+ iOS apps have been found committing to "several flavors of ad fraud."

In total, the apps generated 13+ million downloads.

Fortunately, they have been taken down after the team contacted both Google and Apple.

JobScheduler triggering on on/off/user_present within a Scylla-associated app. (Credit: Satori Threat Intelligence and Research Team)

What the apps do when installed, is creating fake clicks, which translate into revenue to the app developers.

The way the apps show ads is extremely invasive, with some that are very sneaky.

For example, the researchers said victims may see out-of-context ads on their phone that they may have never seen before. But in many cases, the ads can be made hidden, in which they can "show" up and register clicks, but invisible to the victims.

This is possible because the adware uses what's called the “JobScheduler” system, which triggers ad impression events even when the victims aren’t actively using their devices, for example, when the screen is off.

Typically, apps being used in the Scylla campaign leverage a bundle ID that doesn’t match their publication name. This is meant to make it appear to advertisers, that the ad clicks/impressions come from a more profitable software category.

The researchers found that the Scylla apps imitated up to 6,000 CTV-based apps, and regularly cycled through the IDs to evade fraud detection.

The code within the Scylla apps is specifically built to take information from real clicks - like the timing of a real person’s click of an ad and where on the ad they clicked it - and then send that information again as a fake click to cash in.

Both Google as the owner of Android and Apple as the owner of iOS have taken corrective steps to remove these dangerous apps from the Google Play Store and App Store, respectively.

But still, the apps may still be on victims' phones.

This is why both Android and iOS users must see whether they have these apps installed.

They need to uninstall them immediately, if instances of the apps are found.

Code within Scylla-associated apps log click locations and save them to later fake clicks. (Credit: Satori Threat Intelligence and Research Team)

The analysts believe that Scylla is the third wave of an operation they found in August 2019 and dubbed 'Poseidon'.

The second wave, apparently from the same threat actor, was called 'Charybdis', and that it was culminated towards the end of 2020.

Poseidon, which the researchers referred to as the "father," consisted of more than 40 Android apps that were openly committing ad fraud within their code.

Following the original Poseidon attack, the researchers Charybdis, which the researchers call the "daughter."

The campaign evolved from the Poseidon operation, to also include code obfuscation and SDK Targeting.

This time, Scylla, dubbed the "granddaughter," is again expanding upon previous campaigns.

Among the aforementioned features, compared to Poseidon, Scylla apps rely on additional layers of code obfuscation that is powered by the Allatori Java obfuscator.

This makes detection and reverse engineering more difficult for researchers.