#fatmodule

Last week, the Google Play store disrupted a large malvertisement scam targeting Android users. The campaign was discovered by HUMAN’s Satori Threat Intelligence, which dubbed its operation ‘SlopAds’ since many of the apps associated with the attack were mass produced (in much the way ‘AI slop’ is). This was a worldwide malware campaign, with the highest concentration in the US (30%). So far, 224 malicious apps have been uncovered, accounting for millions of downloads.

If a user installs one of the apps through the Play store, it behaves normally. However, if the download was via the affected ads, it would use Firebase Remote Config to begin the infection.

The first act of the app is a determination if it was installed on a legitimate user’s device, as opposed to research analysis or a security sandbox. If it determined this to be the case, it remains inactive and therefore undetected. But if the app passes those checks, it downloads four PNG images using steganography to hide pieces of its payload. This is the practice of representing information within another message or physical object, in such a manner that the presence of the concealed information would not be evident to an unsuspecting person's examination (source: Wikipedia). An example of this that most people would be familiar with is a color chart during an eye exam to determine the presence and/or type of color blindness. An image, usually a number, ‘hidden’ in layers of similar colors. In this case, the images being downloaded contain hidden code within encrypted layers.

Once decrypted, the reassembled images complete the ‘FatModule’ payload, a malicious APK. APK is the file format used by Android and Android based OS’s to distribute and install apps. FatModule’s function is the collection of device and browser data, using hidden WebViews to generate fraudulent ad clicks and impressions to the threat actor(s) owned domains and cashout sites, thereby providing revenue for the threat actor(s). Given the large number of affiliated apps, many of whom share the same AI theme, hence the operation name, it can be assumed that this campaign was intended to have a massive scope.

This type of malvertising is becoming more prevalent and sophisticated. And while the Google Play store was able to remove all the apps identified as being compromised so far, and users are protected by Google Play Protect, I doubt this is the last we’ll see of this type of attack. The infrastructure of this campaign is such that it is difficult to ascertain how it works until after the fact, making prevention a challenge. But the first rule of the internet remains relevant: never click an untrusted link. Going directly to the source of any app is almost always going to be safer than clicking an ad. And your friendly neighborhood WISP is here to provide the awareness to be forewarned and forearmed.