In recent times, several popular and attractive applications have been labeled as malware-laces apps after users and many experts found malicious activities. Even, tech giant Google has removed many Android apps from the Play Store as the company found that they were part of ad-fraud botnet.

The Satori mobile security team at the cybersecurity company, White Ops, discovered the botnet, named 'Terracotta.' As per researchers at White Ops, they have been tracking this botnet since late 2019.

Modus Operandi

apps on phone
Android apps Pixabay

As per the recent findings, Terracotta operated by uploading apps on the Play Store that promised users free products— shoes, sneakers, boots, tickets, coupons, and expensive dental treatments—if they install the apps on their devices. After installing these apps users had to wait two weeks to receive the free products. Meanwhile, users had to leave the app installed on their devices.

But these apps downloaded and ran a modified version of WebView—that allows you to display web content as part of the activity layout, but lack some of the features of fully-developed browsers. The operators behind Terracotta launched the modified WebView browser, without the knowledge of users, and performed ad fraud by loading ads and making revenue from fake ad impressions.

The researchers at the White Ops team described Terracotta as complex because it used new techniques to avoid detection from the defrauded ad networks. They also called it massive due to the scale at which Terracotta was operated. In June, Terracotta botnet silently loaded over two billion ads inside 65,000 infected smartphones, said the researchers.

Malicious Apps

google play store
Google Play

The malicious Terracotta apps would often wear out batteries and consume mobile bandwidth traffic. The list of infected apps is yet to be released by the White Ops. But Google took swift action by removing the undisclosed number of such malicious apps from Play Store and disabled them on all users' devices.

A Google spokesperson said, "Due to our collaboration with White Ops investigating the TERRACOTTA ad fraud operation, their critical findings helped us connect the case to a previously-found set of mobile apps" and to identify additional malicious apps. The spokesperson also said this has allowed Google to move quickly to protect "users, advertisers, and the broader ecosystem – when we determine policy violations, we take action."