RAINBOWMIX is the researchers' name to a group of 240 Android applications designed to deliver out-of-context OOC advertisements to unsuspecting users. Before Google stepped up and took action, the entire group of threatening applications was available for download through the official Google Play store. According to the researchers, the applications had amassed over 14 million installations and generated over 15 million daily impressions collectively. Most advertising traffic came from Brazil - 21%, with Indonesia and Vietnam following closely behind. Around 7.7% of the traffic was determined to be from the U.S.
To lure users, most of the applications offered emulation for retro games such as the ones available on the Nintendo NES systems. For the most part, this functionality was intact, and RAINBOWMIX did indeed deliver on its promises, at least on the surface level. The problem is that the true purpose of RAINBOWMIX is to deliver OOC advertisements pretending to be coming from reputable sources like YouTube or Chrome, almost guaranteeing that for a period, the affected users will not notice that something suspicious is going on.
The hackers behind RAINBOWMIX used a 'packer' software to bypass the Google Play store's safeguard measures. The applications also were equipped with various triggers for services and receivers that were coded to initiate upon certain events such as system boot, application installation, whenever a charging cord was plugged in or out or when the Internet connection changed. According to the scientists, this was done as an anti-analysis measure. As for the OOC advertisements, their trigger was a service called 'com.timuz.a,' which was kept running by a wrapper - com.google.android.gms.common.license.a.
Communication with the Command-and-control (C&C, C2) infrastructure was base-64 encoded, and once communication was established, a legitimate SDK - com.ironsource.sdk.handlers.a.a, was exploited to deliver advertisements every 10 minutes. The domain of the C2 at 'api.pythonexample[.]com' is considered by the infosec researchers a hacked website. The same C2 structure was used for all 240 of the RAINBOWMIX applications.
To maximize the OOC advertisements' delivery and minimize the chances of becoming too obvious potentially, the hackers equipped the applications with a monitoring function when the compromised device's screen was turned on and off. The scientist found the code for this activity hidden in a fake Unity class 'com.unity.b.'
While all of the RAINBOWMIX applications were expunged from the Play Store, users who have already downloaded any of them have to uninstall the applications from their devices manually.