TERRACOTTA

How would you proceed if you come across an application on the Google Play Store that offers to send you a free pair of high-end shoes, or coupons, event tickets, and even expensive denture procedures in exchange for downloading it on your device and filling personal details? It sounds like it is too good to be true, right? Indeed, it was all just a front for an advertising fraud botnet that was named TERRACOTTA by the researchers at White Ops' Satori Threat Intelligence & Research team who discovered it. 

Users were actually downloading and installing malware on their devices instead of simply waiting for 14 days and getting their promised free rewards. The average user wouldn't have noticed it, however, as TERRACOTTA doesn't behave advertisements. The corrupted application didn't report to be advertisement-supported on the Google play store, either. So, how are the hackers behind TERRACOTTA generating monetary gains?

TERRACOTTA Shows Intimate Knowledge of the Advertising Ecosystem

The payload distributed by the corrupted applications is a customized Android browser that comes equipped with a control module written in the React Native development framework. Once executed, it starts generating fraudulent advertising impressions and sells them into the programmatic advertisement ecosystem. All of the fraudulent activity is being carried out in the infected device's background without ever alerting the user. The hackers' goal behind TERRACOTTA was not to target individual victims but to defraud advertisers on a bigger scale. In just a couple of months, TERRACOTTA had managed to infect 65,000 devices, spoof 5,500 different applications, and generate 2.4 billion advertisement bid requests.

Such fake numbers could be easily detected if TERRACOTTA didn't come equipped with several sophisticated techniques to help it in its criminal endeavors. For example, TERRACOTTA uses false representation for the traffic it generates by spoofing other legitimate applications. To avoid detection, it leverages its Android Web View to render the advertisements allowing the malware to modify certain technical parameters used for application verification. Furthermore, it avoids being caught by application-ads.txt, an industry-wide standard, by only spoofing legitimate applications that have are not a part of application-ads.txt. One of TERRACOTTA's more sophisticated features is its ability to evade tag-detection by suppressing content from advertisement-verification domains by using a technique similar to advertisement-blocking.

To make its advertisement impressions seem as real as possible, TERRACOTTA is designed to ensure variance by hiding the fact that the traffic it generates is all based on Chromium version 80 and instead simulates several different Chromium versions. It also controls the click-through rate of the advertisement impressions and the exact place that the click or tap was registered in the advertisement.

What the TERRACOTTA campaign demonstrates once again is the effectiveness of promising free products as there are always people willing to ignore their common sense in the hopes of getting free stuff.