New Family of Deceptive Gaming Apps Discovered

Written by

A new family of gaming apps that uses out-of-context (OOC) ads to deceive users has been discovered on the Google Play Store. 

While fulfilling their advertised function to varying degrees, the apps run ads that appear to be coming from popular applications and social media platforms including YouTube and Chrome.

The brood of more than 240 deceptive Android apps was detected by the White Ops Satori Threat Intelligence and Research Team. Many of the apps are little more than Nintendo emulators that researchers say were "ripped from legitimate sources or low-quality games."

The assortment of deceptive apps was dubbed RAINBOWMIX by researchers as a nod to the vibrant 8–16bit color palette deployed in retro games. The family garnered more than 14 million downloads before being removed from the Google Play Store.

Researchers observed that at its peak, RAINBOWMIX had more than 15 million ad impressions per day.

Malicious actors bypassed certain security protocols by using packer software that saves space and obfuscates the final payload. 

"All of the apps discovered seem to possess fairly low detection ratings across AV engines, largely because of the packer being used," noted researchers. 

The code responsible for the out-of-context ads was located in spoofed or illegitimate versions of legitimate SDKs (Software Development Kits), such as Unity and Android. Researchers did not detect any fraud directly tied to legitimate SDKs.

Among the apps found to contain the malicious SKD were com.colorisland.bubblebobble, com.zeldagames.n64emulator, and com.ninjasurvival.deathmatch.

Tell-tale signs that the apps were created with an ulterior motive were their sub-par operational capabilities and the ratings they received from users. 

"At first glance, RAINBOWMIX apps seem to work as advertised, although their quality likely leaves users wanting," said researchers. 

They added: "Most of the RAINBOWMIX apps have a 'C-shaped rating distribution curve' (with primarily 1- and 5-star reviews), which is common with suspect apps."

RAINBOWMIX tracked when users turned their screens on and off to determine the best moment for an ad to pop-up. Most of the ad traffic shown to users came from Brazil, Indonesia, Vietnam, and the United States.

Additionally, 53.3% of the traffic came from Chrome Mobile 84, while 3.6% came from Chrome Mobile 83.

What’s hot on Infosecurity Magazine?