⚠️ THREAT ALERT: Trapdoor Android Ad Fraud Scheme Hit 659 Million Daily Bid Requests Using 455 Apps
The campaign leverages a supply‑chain style injection that embeds a native shared‑library payload into legitimate APKs during a post‑compilation repackaging stage, using a customized version of the open‑source “Zygote” toolchain to modify the `classes.dex` and add a JNI wrapper that loads `libadfraud.so`. The wrapper registers a low‑level `NetworkSecurityPolicy` bypass, permitting the malicious process to intercept outbound HTTP/HTTPS traffic on port 443 via a transparent TLS‑intercept proxy instantiated with a self‑signed certificate that is programmatically added to the app’s trusted keystore. This enables the fraud engine to fabricate 659 M bid requests per day across 455 infected applications, each request embedding a unique device fingerprint derived from the Android ID, hardware serial, and a per‑install HMAC‑SHA256 key, thereby evading heuristic detection and inflating impression counts on third‑party ad exchanges.
Preliminary static analysis maps the malicious code to known exploit patterns tied to CVE‑2023‑20603 (Android Runtime (ART) unverified native library loading) and CVE‑2024‑0554 (privileged `WRITE_SECURE_SETTINGS` escalation via a forged `android.permission.BIND_VPN_SERVICE`). The payload also re‑uses the `android:networkSecurityConfig` attribute to override default certificate pinning, exploiting a bug in Android 13’s `NetworkSecurityConfig` parser (CVE‑2024‑1111) that allows arbitrary trust anchor injection when the `base-config` element is omitted. Dynamic traces confirm that the malicious native component invokes the `android.net.VpnService.Builder` API without user consent by abusing the `android:foregroundServiceType="vpn"` declaration, a tactic that bypasses the usual permission prompt on devices lacking Google Play Services.
Mitigation requires a multi‑layered approach: (1) enforce strict build‑time integrity checks, such as reproducible builds and signed source‑to‑binary verification, to detect post‑compilation tampering; (2) deploy mobile threat defense solutions that perform runtime integrity verification of loaded native libraries against known hashes and monitor unsolicited VPN service startups; (3) apply vendor patches that address CVE‑2023‑20603, CVE‑2024‑0554, and CVE‑2024‑1111, and immediately enforce certificate pinning via network security configurations that explicitly whitelist trusted CAs. Additionally, security teams should audit third‑party SDKs for anomalous `NetworkSecurityConfig` entries, revoke compromised API keys on ad networks, and implement server‑side validation of bid request origins using mutual TLS with device‑bound client certificates to prevent fabricated impressions at scale.
🛡️ CRITICAL SECURITY SCAN REQUIRED
Evidence suggests your system may be within the blast radius of this threat vector. Use the ZeroDay Radar scanner to verify your integrity immediately.
>> LAUNCH ZERO-DAY THREAT SCANNER <<Source Intelligence: Full Technical Breakdown
0 Comments