Mobile ad fraud campaign using novel “evil twin” method to conceal activities

Mobile ad fraud campaign using novel “evil twin” method to conceal activities

A sophisticated mobile advertising fraud campaign has been discovered that peaked at 10 billion bid requests per day.

Dubbed “Konfety” (the Russian word for candy) by HUMAN's Satori Threat Intelligence and Research team, the operation exploited a mobile advertising SDK called CaramelAds using a novel “evil twin” evasion method to conceal its activities.

The scheme involved the CaramelAds SDK, associated with a Russia-based ad network. The threat actors behind Konfety maintained over 250 non-malicious “decoy” apps on the Google Play Store that appeared to be owned by different developers but were largely template-based games controlled by the Konfety operators. HUMAN discovered that the fraudsters also resold inventory for apps they did not own directly.

The threat actors created a stripped-down version of the CaramelAds SDK, devoid of GDPR consent requirements, to generate fraudulent ads through “evil twins.” These evil twins mimicked legitimate publisher accounts and were distributed through malvertising, click-baiting, and drive-by attacks.

The Konfety campaign used the CaramelAds SDK in both its decoy apps and evil twins. The decoy apps contained the full version of the SDK, complete with GDPR consent notices, while the evil twins downloaded a pared-down version only after the app was fully installed. This stripped-down SDK lacked the necessary components for compliance and validation, focusing solely on generating out-of-context ads.

Key features of the evil twins included:

  • Modified Traffic: The ability to alter traffic to appear as though it originated from any type of device chosen by the actors.

  • URL Manipulation: Opening any URL using the device browser without user consent.

  • Lack of Validation: Bypassing checks standard in established networks, such as device legitimacy and correct ad rendering.

Both the decoys and evil twins utilized different command-and-control (C2) domains, some of which were hosted by the same IP address as other CaramelAds infrastructure. This setup allowed the fraudsters to operate stealthily, evading detection.


Back to the list

Latest Posts

Over 80K Roundcube webmail servers affected by high-severity RCE flaw

Over 80K Roundcube webmail servers affected by high-severity RCE flaw

Researchers report that an exploit for the vulnerability is already being sold on underground forums.
10 June 2025
Vulnerable Wazuh servers targeted by two Mirai botnets

Vulnerable Wazuh servers targeted by two Mirai botnets

The botnets exploited the flaw to fetch and execute a malicious shell script that serves as a downloader for the main Mirai malware payload.
10 June 2025
China-linked hackers target 70+ orgs across wide range of sectors

China-linked hackers target 70+ orgs across wide range of sectors

The researchers noticed overlaps between PurpleHaze and Chinese cyber espionage groups tracked as APT15 and UNC5174.
10 June 2025
Popular Posts
Featured vulnerabilities
Improper input validation in Mozilla Thunderbird
Medium Patched | 11 Jun, 2025
Improper privilege management in Fortinet products
Low Patched | 11 Jun, 2025
OS Command Injection in FortiADC
Low Patched | 11 Jun, 2025
Improper handling of insufficient permissions or privileges in FortiPAM and FortiSRA
Low Patched | 11 Jun, 2025
Improper certificate validation in FortiOS
Low Patched | 11 Jun, 2025