A sophisticated mobile advertising fraud campaign has been discovered that peaked at 10 billion bid requests per day.

Dubbed “Konfety” (the Russian word for candy) by HUMAN's Satori Threat Intelligence and Research team, the operation exploited a mobile advertising SDK called CaramelAds using a novel “evil twin” evasion method to conceal its activities.

The scheme involved the CaramelAds SDK, associated with a Russia-based ad network. The threat actors behind Konfety maintained over 250 non-malicious “decoy” apps on the Google Play Store that appeared to be owned by different developers but were largely template-based games controlled by the Konfety operators. HUMAN discovered that the fraudsters also resold inventory for apps they did not own directly.

The threat actors created a stripped-down version of the CaramelAds SDK, devoid of GDPR consent requirements, to generate fraudulent ads through “evil twins.” These evil twins mimicked legitimate publisher accounts and were distributed through malvertising, click-baiting, and drive-by attacks.

The Konfety campaign used the CaramelAds SDK in both its decoy apps and evil twins. The decoy apps contained the full version of the SDK, complete with GDPR consent notices, while the evil twins downloaded a pared-down version only after the app was fully installed. This stripped-down SDK lacked the necessary components for compliance and validation, focusing solely on generating out-of-context ads.

Key features of the evil twins included:

• Modified Traffic: The ability to alter traffic to appear as though it originated from any type of device chosen by the actors.

• URL Manipulation: Opening any URL using the device browser without user consent.

• Lack of Validation: Bypassing checks standard in established networks, such as device legitimacy and correct ad rendering.

Both the decoys and evil twins utilized different command-and-control (C2) domains, some of which were hosted by the same IP address as other CaramelAds infrastructure. This setup allowed the fraudsters to operate stealthily, evading detection.