The threat actors behind a newly discovered malicious advertising app operation have been active since at least 2019, but researchers tracking their evolution report the group has become more sophisticated, expanding beyond its previous Android-specific attacks into the iOS ecosystem.
The latest campaign, according to researchers with Human Security’s Satori research team, included 80 Android Apps lurking in the Google Play store and, notably, 9 in the Apple App Store. All together, the team reported the malicious applications were downloaded at least 13 million times.
Once downloaded, the malicious applications spoof other apps to rack up digital ad views, play hidden ads the user couldn’t see to gain fraudulent views, and even track legitimate ad clicks to hone the group’s ability to fake them more convincingly later.
The research team, which flagged the apps for removal from the official stores, calls this latest iteration of the attack group Scylla. The earliest version of the group was called Poseidon, then Charybdis. Scylla is the third wave of attacks from the threat actors, the Human team explained in their report.
“Today’s announcement of the disruption of Scylla — named after the granddaughter of Poseidon — reflects a new evolution from the threat actors behind the scheme,” the Human team said about the find. “While the Poseidon and Charybdis operations centered wholly on Android apps, the Satori team has found evidence that Scylla additionally targets iOS apps and has expanded the attack to other parts of the digital advertising ecosystem.”
Human Security worked with Google and Apple to remove the malicious applications and is continuing to work with advertising software development kit developers to mitigate the campaign’s fallout.
“These tactics, combined with the obfuscation techniques first observed in the Charybdis operation, demonstrate the increased sophistication of the threat actors behind Scylla,” the Human team added. “This is an ongoing attack, and users should consult the list of apps in the report and consider removing them from all devices.”