The Satori Threat Intelligence Team funded by HUMAN Security, a provider of a platform thwarting bot-based attacks, today disclosed it has uncovered a massive ad fraud operation involving the setting up of “evil twins” of applications found in the Google Play Store.

Dubbed Konfety, cybercriminals are leveraging a CarmelAds software development kit (SDK) for mobile advertisers to create a copy of legitimate application. That “decoy” application is then used to perpetrate advertising fraud and redirect end users to malicious websites loaded with malware.

The decoy applications in the Google Play Store are not being used to perpetrate fraud directly. Instead, when they are being disseminated via malvertising campaigns that in addition to creating fraudulent advertising traffic also result in extensions to browsers being installed, monitoring of Web searches and sideloading code onto devices.

Thus far, Satori researchers have identified more than 250 applications on the Google Play Store. The SDK is not inherently malicious but was exploited by threat actors to request and render ads, sideload additional Android Package Files (APKs), and establish connections to command-and-control (C2) servers.

Lindsay Kaye, vice president of threat intelligence for HUMAN Security, said this novel attack vector is not yet being widely used but it’s probable that multiple threat actors are already building evil twins of legitimate applications.

Ad networks, of course, have been long criticized for being conduits for the distribution of malware. Known as malvertising, cyberattacks involving misleading claims that lead unsuspecting end users to websites that infect endpoints with malware have been a longstanding issue. The challenge is once that malware finds its way to an endpoint, it often starts to laterally spread throughout the organization. Many organizations may not even be aware that malware exists until it’s activated.

Hopefully, organizations will continue to apply more pressure on advertising networks that programmatically distribute advertising without any regard to the content included to act more responsibly. After all, organizations that use these ad networks without any regard for the level of security being provided are part of the problem.

In the meantime, organizations should ensure they at least try to educate more end users to be more wary of mobile applications. Today there is a tendency to view mobile applications as being disposable pieces of software that end users often download without much of a second thought. Alas, a lot of the software has known vulnerabilities that cybercriminals already know well how to exploit. Worse yet, many of those applications will continue to reside on endpoints that are connected to corporate networks long after they are no longer being actively used.

There may come day one soon when artificial intelligence (AI) will make it trivial to identify and mitigate threats such as “evil twin” applications. The issue is that cybersecurity professionals can assume cybercriminals will be using the same technologies to create even more lethal threats. The one thing that is certain about cybersecurity is that the tactics and techniques employed by adversaries will only continue to increase in sophistication.