Researchers: Gabi Cirlig, Michael Gethers, Lisa Gansky, Adam Sell

If you grew up with siblings, odds are you experienced some form of the classic kids’ aggravating “game” of copycat. The game usually came to an end when the copier got tricked into doing or saying something self-insulting or when they were tattled on to whomever was in charge.

It’s in that spirit that we named our latest Satori Threat Intelligence and Research investigation “CopyCatz”. The short version: we found a large number of apps on the Google Play Store that were mimicking notable apps to garner downloads, only to then trick the user into seeing a whole bunch of unexpected ads.

What’s really notable about the CopyCatz apps is just how many of them there were: we found 164 apps that shared this particular approach, with more than 10 million downloads among them. All of the apps have been removed from the Play Store as of this writing.

 

What It Did

The Satori team discovered that these apps contain code capable of displaying out-of-context ads under the com.tdc.adservice package. The apps’ behavior is controlled by a command-and-control JSON hosted on Dropbox (Note: Dropbox is another victim, not a participant, in the CopyCatz operation). The URL of the JSON differs from app to app, but the structure is very similar, indicating the frequency of the ads and the Publisher ID to be used.

The first app we spotted that triggered out-of-context ads—Assistive Touch 2020—is examined below. This app is a copy of a legitimate app, Assistive Touch. The app’s package name is a misspelled version of the official one, which is common to the apps in this operation.

App Name

Assistive Touch 2020

Package Name

com.teen.asasitivetouch.easytouch

MD5

f5a170925701ca242975b7188343cb65

SHA256

ccd87882dff824165aded2cb6d0f8c2780471a0de1d1388f06ec13f08f0bf074

File Size

8.15 MB

Google Play Store Link

https://play.google.com/store/apps/details?id=com.teen.asasitivetouch.easytouch 

Current Version

1.0

Developer

MoJetStudio

Contact Email

Mojetstudio@gmail.com

Domain 

n/a

Address

Mojet Studio, Indonesia

 

(click on any image in this post to enlarge)
Assistive Touch 2020 on the Google Play Store
Source: White Ops Threat Intelligence, November 2020

 

Interestingly, the apps didn’t really try to cover their tracks. All of them have the open-source Evernote job scheduler embedded inside used as a persistence mechanism (Note: Evernote is also a victim of this operation):

Evernote Job Scheduler embedded in the code
Source: White Ops Threat Intelligence, November 2020

 

A quick lookup for Evernote jobs led us to the entry point of the out-of-context ads controller located inside the AdsJob class. It’s worth noting that all of the code presented in this report is located inside the com.tdc.adservice package. 

Entrypoint of the out-of-context ads controller
Source: White Ops Threat Intelligence, November 2020

 

Based on the configuration received from the server, the job displays either in-house ads or out-of-context interstitials.

 

Ad configuration settings
Source: White Ops Threat Intelligence, November 2020

 

The ads being displayed are retrieved dynamically from a JSON hosted in the cloud when the app is first launched, and then again at regular intervals.

Ad retrieval process
Source: White Ops Threat Intelligence, November 2020

 

It is then stored inside the shared preferences of the app with the data being proxied through the AppConfig class. By leveraging legitimate tools used by developers to establish persistence and instantiation of the out-of-context ads, the authors of the SDK managed to fly under the radar for at least two years with only one reference on VirusTotal.

One single detection on VirusTotal
Source: White Ops Threat Intelligence, November 2020

 

How It Worked

Once the app is installed, it reaches out to the command-and-control server mentioned above:

First connection to the C2, after installation
Source: White Ops Threat Intelligence, November 2020

The fullFrequency parameter seems to control how often the ads are displayed (in this example, every three hours). The inHouseEnable parameter determines whether ads to in-house products are displayed, and the platform from which the interstitial should be retrieved.

 

C2 communication across multiple apps
Source: White Ops Threat Intelligence, November 2020

 

After a grace period of a couple of hours (depending on the command-and-control server’s configuration), out-of-context interstitials started appearing on the device.

 

Capture of a Retrieved Interstitial
Source: White Ops Threat Intelligence, November 2020

The out-of-context interstitial excludes itself from the list of recent apps, and as soon as the user navigates away from it, it disappears. The previous activity on the stack was the phone’s launcher, as seen in the second part of the gif above. The network traffic, seen below, also associates it with the analyzed app, which was not running at all at the moment the ad popped up.

 

Network traffic capture
Source: White Ops Threat Intelligence, November 2020

 

What Do I Do?

Simply put, if you have one of the apps referenced in the Appendix below, remove it from your mobile device. Additionally, the Satori Team recommends blocking any apps that call ads from activities inside the package com.tdc.adservice.*. Even though platforms could choose to allow legitimate traffic from these apps by blocking only the out-of-context ads, the Satori Team recommends using the heavier-handed approach of blocking all the apps, since they were likely created very specifically to take advantage of the digital ecosystem.

When downloading a new app, make sure that you’re getting the real, official version of what you’re trying to get. Look at the reviews, not just the glowing five-star reviews, but also the one- and two-star reviews. Those are the ones that will call out ads that don’t belong and will alert you if something is amiss.

Appendix

Download the full list of apps associated with this investigation here. (txt file)

App Name

App ID

Installs

3D Photo Editor

com.vmins.frameefects

50,000

3D Tattoo Photo Editor & Ideas

com.softwalk.threedtattoo

10

Applock 2020 - App Locker & privacy guard

com.applock.meetink

1,000

AppLock New 2019 – Privacy Zone & Lock your apps

com.padgamestd.applock

1,000,000

Assistive Touch 2020

com.teen.asasitivetouch.easytouch

10,000

Audio Video Editor

audiochin.com.mp3.cutter.ringtone.video.maker.trimmer

10,000

Audio Video Mixer

ttpjsc.com.mp3.cutter.ringtone.video.maker.trimmer

1,000

Battery Saver Pro 2020 - New Power Saver

com.lastwod.battery.saver.ram.cleaner

100,000

Block Puzzle 102: New Tentris Mania

com.tetris.blockpuzzle3d

1,000

Chronometer

com.chronometer.gnuh

10,000

DJ Mixer Studio 2018

com.master.djsona

1,000,000

GPS Speedometer

com.lissandras.telannasi.free

100,000

Graffiti Photo Editor - Graffiti Creator

com.popperx.graffitiphoto2020

500

iSwipe Phone X

com.goldese.controlcenter

5,000,000

Lock app with Password - Applock All App Protector

com.tklinkst.applock

100,000

loudest alarm clock ever

com.loudultrasound.alarmclock

10,000

Lovedays Memory 2020 - Love Counter Together

com.go2counter.lovedays

500

Magnifier Zoom + Flashlight

kr.xmatools.magnifier

100

Max Cleaner - Speed Booster Pro 2021

com.pipgami.phonecleaner

100

Motocross Racing 2018

com.ganplank.motorracing

10,000

Name Art Photo Editor

com.binkai.heartnameart

10,000

Nox Cool Master - Cool Down 2020

cooling.cleanox.phone.cooler

1,000

OS 13 Launcher - Phone 11 Pro Launcher

com.launcher.ios13.ip11usa

50,000

OS Launcher 12 for iPhone X

com.landroid.ios12.ios12us

100,000

Photo Editor Awesome Frame Effects 3D

com.pipgamiz.photoeditor

1,000

Rain Photo Maker - Rain Effect Editor

com.goldxia.raineffect

10

Repair System For Android & Speed Booster

systym.rypyir.fyx.opyryting.systym.pryblym

100

Ringtone maker - Mp3 cutter

com.xmwork.ringmaster.maker

1,000,000

Ringtone Maker Ultimate: New Mp3 Cutter

com.castofworld.ringtonemaker

100,000

Secure Gallery Vault: Photos, Videos Privacy Safe

com.kovelp.securegallery

50,000

Smart Cleaner-Battery Saver, Super Booster

com.cleaner2020.myphone.pro

1,000

Super Phone Cleaner 2020

com.phonecludner.memorycxeener.fsxtcharging

1,000

Video Music Cutter & Merge Studio

com.macthink.musictrimmer.mp3ringtonecutter

100,000

Wifi File Transfer 2019

wifi.transfer.pops

500

Wifi Key - Free Master Wifi

com.heimerdinger.wifi

100,000

Wifi Speed Test

pth.speedtest.PeaSoft

500,000

Wps Tester

com.veigar.dravenpthis

500,000

WPS WPA Wifi Test

com.vendra.ivernwpswpa

100,000

100 mb Internet Speed Test - Broadband Speed Test

mb.speedtest.network

--

2 Ways Call Recorder Automatic, Record Phone Calls

com.skud.callrecorder.test

--

3D Awesome Frame Effects

com.gankmi.frameworkers

--

3D Photo Frames Effects & 3D Art Photo Maker

com.photo_frame.frame_maker

--

Animals Sound Ringtones Real Free

com.mikjay.animalringtones

--

Anti WannaCry Virus - Android

com.neufapps.antiviruswannacry

--

Antivirus - Virus Remover

com.ceberusni.antivirus

--

Antivirus 2017

com.goldmob.antivirus.security

--

Antivirus 2017

com.mobileagency.xray

--

Antivirus 2017

com.mobiquev.antivirus

--

Antivirus 2017 & Cleaner

com.antivirus.freecleaner0021

--

Antivirus 2017 & Cleaner

com.avast.antiviru

--

Antivirus 2020, Cleaner & Booster

com.toodoo.smart.cleaner.pro.top2020.virus

--

Antivirus For Android

com.uranusmobile.antivirus

--

Antivirus Pro 2017

com.se7en.antivirus

--

Assistive Touch 2018

com.volibears.assistouch

--

Audio Video Editor Mixer 2019 - Video Cutter

macthinkbox.mp3audioeditor.videomixed

--

AV Antivirus 2017

com.tonyinc.antivirus

--

Battery Doctor - Power Battery 2018

com.tools.padbattery

--

Battery Doctor 2018 - Fast Charger

plutanio.fastcharger.batterysaver

--

Battery Saver - Fast Charging

com.batterylife.battery

--

Battery Saver - Saving Battry

com.Connon.batterysaver

--

Battery Saver Pro

com.enverall.phone.optimize.battery.fastcharging

--

BeanPro Antivirus

com.beanpronew.antivirus

--

Big Front - Change Front Size

com.bigfont.aether

--

boost clean (junk cleaner pro)

com.junk.cleaner.phone.boost.security.speed

--

Calculator

ltc.razarthur.android.calculator

--

Call Block Blacklist and Block SMS Easy

com.tklinkmast.callblacklist

--

Call Recorder For Android

com.zuka.callrecorder.voice

--

Chinese Chess

com.xinzhao.chinesechess

--

Clean My Android - Antivirus

com.antivirus.cours.faradd

--

cleaner booster -ultra security-

speed.cleaner.junk.phone.security.boost.cleaner

--

Collage Maker

photo.mnxmax.collagemakerpro

--

Control Center IOS 12 - Phone X Control Center

com.goldese.phonrcontrolcenter

--

Cool Master -CPU Device Cooler

com.ktopgames.coolmaster

--

Disk-clean-suite

com.avast.clean

--

Don't Stop Eighth Note

com.cassiopei.shen

--

Don't Stop Eighth Note

com.fizzgaren.ryze

--

Don't Stop Eighth Note 2

com.Dontstop.eightnote

--

Don't Stop Eighth Note Zombie

com.appsleon.dontstop

--

Eighth Note

com.tryndamer.nami

--

Eighth Note V2

com.EighthNote.new

--

Eighth Note: Yasuhati

com.khapkamer.kali

--

Fast Charger - Dr Battery 2017

com.kenpasea.saver

--

Feeding Fish

com.tony.fishes

--

Followers - Unfollowers For Insta

app.draven.unfollow

--

free antivirus

com.ANTIVIRUSAPP.ANTIVIRUSAPP

--

Free Antivirus-Mobile Security

com.namiprotect.antivirus

--

Free VPN Proxy - Unlimited VPN & Wifi Security

free.vpnmaster.alistar.proxy.anand

--

Get Followers Up 2019

com.followers.getfollowers.followersinsta

--

Get Followers Up 2020

com.follower.getfollowers.followersinsta

--

GPS Navigation

com.nakrothtoro.malochgildurgps

--

Holy Bible

com.omisego.action

--

How Fast is My Internet - High Internet Speed Test

mz.speedtest.internet

--

Internet Speed Check 2019

hp.tonyinc.speedmeter2018

--

Internet Speed Test

hp.leesin.leblanc

--

Internet Speed Test

internet.speedtest.wifi.analyzer.morganas

--

Internet Speed Test APK

ayoub.dev.wifi

--

Internet Speed Test Free

hp.minigone.checkinterneto

--

Internet speedmeter check

speedmeter2018.internetanalytics.testwifi

--

K-Lock gallery picture & video

com.kenpazi.securegallery

--

Learn Excel 2019

usapp.den.dendidotoversion

--

Learn Play Piano - Pianist

com.qjoker.renlpianotenshen

--

Lich Van Nien 2017

jp.cotts.lichviet

--

Lịch Vạn Niên 2018 - Lịch Âm 2018

lb.alice.lichviet

--

Lion Antivirus 2017

techmob.lion.antivirus.security.freeantivirus

--

Loudest Volume Booster

annie.fiddlestick.execution

--

Love days counter

com.mloves.countdays

--

Male To Female Voice Changer

com.sunnyapp.voicechanger

--

Master Sudoku Offline Free 2018

sdkpro.sudoku

--

Max Cleaner - Booster, Optimizer, Super Cleaner

com.max.booster.cleaner.phone.memory.pro

--

Memory Cleaner 2020

com.beoszei.mazzer.czeanez.czean

--

Milab Music Player - All format audio files

com.minplayer.musicmp3ring

--

Mine Sweep - Free Miner Game

violet.rammus.quinn

--

Mp3 cutter – Video Cutter, Easy Ringtone Maker

com.photovideo.maker.video.trimmer.mp3.cutter.ringtone

--

MP3Cutter & Ringtone Maker 2020

com.rekcos.ringtonemaker

--

New Full Battery Saver - Battery Manager & Cleaner

com.drbattery.battery.saver.ram.cleaner

--

Night Mode

com.morgana.nightscreen

--

Old Phone Ringtones

com.ringtones2018.annie.alarms

--

Optimiser Pro Cleaner Booster

com.obtimizersupercleaner.antivirus

--

Phone Booster

goldmast.lovefaster.speedcleaner

--

Phone Cleaner - Speed Booster

nightcopo.cleanspeed.cleanjunk

--

Phone Cooler - Cooling Master

com.ritamobile.cooldownphone.cpucooler

--

Photo Editor

com.beststudian.photocollage

--

Photo Frame Effects 3D

com.kenpasx.framephotox

--

QR Code Scanner - QR Reader

com.Mobinet.scan

--

Quick Ball

com.goldenwd.assistouch

--

Quick Photo Square - Insta Emoji 2019

com.kinvkep.instasquareemojisticker

--

Recovery all photo deleted

com.vttl.app7.restoreimages

--

Scream Go - Eighth Note T-Rex

com.dotsgame.eighthnote

--

Secret Lock

com.goldmast.applock

--

Security Pro

com.hilas.forsecuritypro

--

Simple App Lock

com.zooinc.applock

--

Smadav antivirus 2017

com.smailapps.antivirus

--

Smadav antivirus for android 2018

com.smallapp.antivirus

--

Smadav pro Total security

com.smartbapp.antivirus

--

Sound Meter

com.yornstone.mina

--

Speed Test Internet - Speed Check

hp.plutini.speedico

--

speedtest net app

inter.speed.test

--

Sudoku 2

hp.sudoku

--

Sudoku Basic For Beginners 2019

gemosm.sudoku

--

Super Antivirus Cleaner 2020

com.jaybox.cleaner.security

--

Super Cleaner - Phone Cache Cleaner, RAM Booster

com.cleanbooster.ducleanerjungle.phonepro.info

--

Super Loud Alarm Clock

karthus.warhamme

--

Super Loud Volume Booster

com.veerajax.volumebooster

--

Super Wifi Rounter - Who Is On My Wifi

com.whenanalyzer.speedtxts.wifireuter.wifibeoster

--

Super Wifi Rounter - Who Is On My Wifi

com.wifibestusas.speedusas.wifibester.wifibestusa

--

TV Antivirus Free + Applock

toto.prosecurity

--

Ultra Cleaner 2018

com.anti.antianti

--

Unfollowers & Ghost Followers For Insta

lux.elixir.unfollow

--

Virus Cleaner - Antivirus 2018

jems.antivirus.security

--

VPN Unlimited Proxy - Super VPN For Android

free.vpnmaster.leBlanc.proxy.anand

--

WiFi Toolbox

net.appstyl.wifi.booster.analyzer

--

WPS Tester

com.veigar.ivernwpswpa

--

انفالوياب اينستاگرام

instapersan.youch.unfollow

--

--

com.adrocklink.batterysaveras

--

--

com.maloch.colorballsnbl

--

--

com.miyoo.miyoubaidian

--

--

com.vttl.app7.restoreimaget

--

--

com.xmwork.ringmaster.makes

--

--

elphitamine.controlcenter

--

--

free.vpn.super.proxy.anou

--

--

hp.toolbox.speed

--

--

lulu.drmundow2017

--

--

speed2018.mohamad.alyousef

--

 

TAGGED: Research & Detection