Malware: Instead of free sneakers, Android users got malware

terracotta adware - Malware: Instead of free sneakers, Android users got malware

Image: White Ops, ZDNet

Google has removed a number of Android apps from its Play Store that are believed to be part of a fraudulent botnet network. Called Terracotta, this botnet was discovered by the Satori mobile security team of White Ops, a security company specializing in identifying bot behavior. White Ops researchers had been tracking Terracotta since late 2019, when the botnet appears to have started operating.

Free products as a lure

According to the researchers, Terracotta's modus operandi was to install apps from the Google Play Store by promising freebies. Typically, apps "offered" sneakers, boots, but sometimes also tickets, gift cards, or even expensive dental care. To get their gift, users had to install the app and then wait two weeks for it to be received, during which time they had to leave the app installed on their smartphone.

However, the apps in question were downloading and running a modified version of WebView, a stripped-down version of Google Chrome. The Terracotta gang would launch the modified WebView browser, hidden from view of the user, and commit ad fraud by loading ads and making revenue from fake ad impressions.

The White Ops team describes Terracotta as a complex yet massive operation. Complex due to its use of advanced techniques to avoid detection, and massive due to its scale of diffusion. For example, White Ops specifies that during the last week of June alone, the Terracotta botnet silently loaded more than two billion advertisements, in 65,000 infected smartphones.

A fraud that also affects users

Currently, after intervention by Google, the presence of the botnet on the Play Store has been reduced, but not completely removed, with some devices still appearing to be infected.

terracotta takedown - Malware: Instead of free sneakers, Android users got malware

Volume of requests for offers following the intervention on the Play Store. Image: White Ops.

You would think that because these apps are targeting ad networks and not users directly, the latter are not affected by the problem. But, on infected devices, apps running 24 hours a day, they consume huge amounts of battery and bandwidth.

Google acted quickly

Unfortunately, White Ops has not published a list of applications infected with the Terracotta virus. However, the good news is that when Google removes malicious apps from the Play Store, it also deactivates them on all users' devices, which ends their malicious behavior.

“Through our collaboration with White Ops, which is investigating the TERRACOTTA ad fraud operation, and their critical findings, we were able to link the case to a set of mobile apps already found and identify other malicious apps. This allowed us to act quickly to protect users, advertisers and the ecosystem at large. When we see violations of our policy, we take action, ”a Google spokesperson said.

For security researchers, Android app developers, and software engineers, White Ops has released an in-depth technical report detailing the inner workings of Terracotta.


(function(d, s, id) { var js, fjs = d.getElementsByTagName(s)(0); if (d.getElementById(id)) return; js = d.createElement(s); = id; js.src = ""; fjs.parentNode.insertBefore(js, fjs); }(document, 'script', 'facebook-jssdk'));

Categories Tech

Leave a Comment