A set of unnamed android applications were removed from the Google Play Store by Google in wake of the fraudulent botnet connection. The applications were reported as a part of the fraud botnet named as the TERRACOTTA. A team from Satori researchers of cybersecurity firm White Ops detected the bot. The specialized bot detection personnel of the White Ops team tracked the bot. The team is said to be tracking and looking over TERRACOTTA since late 2019. The time when the botnet was active said by the experts themselves.
Fraudulent Applications were uploaded on the Google Play Store by the TERRACOTTA operators. These applications offered free bonuses and free products in exchange to the installation of the programs on their device. The free bonus is said to include, concert tickets, free shoes, trainers, coupons, and expensive dental procedures. The victims were fond of the gifts and were prompted to install the applications. The user had to wait two weeks to receive their prize.
The Applications downloaded and secretly launched and operated a modified version of the WebView mini browser. This browser loaded fraudulent Ads, generating revenue for the attackers with the user’s impressions.
The APK commonly known as the main application code is written using a cross-platform development React Native. The app simply displays a form that the user fills to receive the supposedly free products from the application. However, no malicious function is found in the part of the application but contains malicious content in the .WAKE_LOCK and .FOREGROUND_SERVICE permissions.
From the botnet modules, a module handles the communication between the C&C servers. Such a connection is achieved through the messaging capability of Firebase. Firebase is a widely used mobile application platform, while, the advertisement fraud is activated by the push messages from Firebase. The victim is secretly giving impressions to the TERRACOTTA Fraudulent Advertisements without knowing.
As per the research of the professionals, the TERRACOTTA botnet in the month of June downloaded 2 Billion advertisements. Infection around 65000 smartphones. The researchers have found and presented their work to Google, which has taken the action against the malicious applications and removed the Applications from the Google Play Store.
Credits: SecurityLab
