Mobile ad fraud campaign using novel “evil twin” method to conceal activities

Mobile ad fraud campaign using novel “evil twin” method to conceal activities

A sophisticated mobile advertising fraud campaign has been discovered that peaked at 10 billion bid requests per day.

Dubbed “Konfety” (the Russian word for candy) by HUMAN's Satori Threat Intelligence and Research team, the operation exploited a mobile advertising SDK called CaramelAds using a novel “evil twin” evasion method to conceal its activities.

The scheme involved the CaramelAds SDK, associated with a Russia-based ad network. The threat actors behind Konfety maintained over 250 non-malicious “decoy” apps on the Google Play Store that appeared to be owned by different developers but were largely template-based games controlled by the Konfety operators. HUMAN discovered that the fraudsters also resold inventory for apps they did not own directly.

The threat actors created a stripped-down version of the CaramelAds SDK, devoid of GDPR consent requirements, to generate fraudulent ads through “evil twins.” These evil twins mimicked legitimate publisher accounts and were distributed through malvertising, click-baiting, and drive-by attacks.

The Konfety campaign used the CaramelAds SDK in both its decoy apps and evil twins. The decoy apps contained the full version of the SDK, complete with GDPR consent notices, while the evil twins downloaded a pared-down version only after the app was fully installed. This stripped-down SDK lacked the necessary components for compliance and validation, focusing solely on generating out-of-context ads.

Key features of the evil twins included:

  • Modified Traffic: The ability to alter traffic to appear as though it originated from any type of device chosen by the actors.

  • URL Manipulation: Opening any URL using the device browser without user consent.

  • Lack of Validation: Bypassing checks standard in established networks, such as device legitimacy and correct ad rendering.

Both the decoys and evil twins utilized different command-and-control (C2) domains, some of which were hosted by the same IP address as other CaramelAds infrastructure. This setup allowed the fraudsters to operate stealthily, evading detection.


Back to the list

Latest Posts

Cyber Security Week in Review: June 13, 2025

Cyber Security Week in Review: June 13, 2025

In brief: Microsoft fixes zero-day exploited by the Stealth Falcon APT, the Graphite spyware targets journalists via an iMessage exploit, and more.
13 June 2025
Coordinated brute-force campaign targets Apache Tomcat Manager interfaces

Coordinated brute-force campaign targets Apache Tomcat Manager interfaces

The campaign, first observed on June 5, involves brute-force login attempts originating from hundreds of unique IP addresses.
12 June 2025
ConnectWise rotates digital certificates due to security risks

ConnectWise rotates digital certificates due to security risks

The company said that this is a preventive action and not related to any recent security incident.
11 June 2025