The National Computer Emergency Response Team (nCERT) has issued an advisory to Android users worldwide regarding a malicious campaign by the Konfety Group. The campaign targeted users with over 200 counterfeit applications on the Google Play Store.
The operation, which was dubbed the “Konfety Apps” campaign, employed Evil Twin applications that were designed to imitate legitimate software to generate financial gain through ad deception. nCERT has proposed preventive and remedial measures to protect devices from similar attacks, although Google has removed the malicious applications.
The campaign, as per the advisory, involved the distribution of modified APKs through advertising channels to deceive users into installing malicious applications. Upon installation, these applications functioned as droppers, deploying obfuscated stagers and backdoored software development kits (SDKs) to execute malicious operations. Ad fraud, payload installation, and second-stage malware deployment were among the activities that posed substantial risks to the data and devices of users.
The advisory emphasized that the Evil Twin applications utilize sophisticated obfuscation techniques to circumvent the detection of conventional anti-malware tools. Their primary goal is to generate fraudulent views and impressions in order to generate financial gain. Furthermore, these applications exploit superfluous permissions, which results in illicit access to sensitive data and compromises the security of the device.
nCERT has identified a number of indicators of compromise (IOCs) that users should be aware of, such as unexpected network traffic, sporadic advertisements, sluggish device performance, and peculiar data consumption. It is recommended that users uninstall any applications from the list provided in Annex-A of the advisory. It is advised that affected devices undergo a factory reset, with backups restricted to personal files.
nCERT recommends that users limit app permissions to essential functions, update their devices routinely, and download applications exclusively from official stores such as Google Play or Apple’s App Store in order to prevent additional infections. It is also strongly recommended that reputable security software be installed and that data usage be monitored for anomalies. A thorough incident response procedure, which encompasses factory resets and restoration from clean archives, should be implemented for compromised devices.
The Konfety commercial emphasizes the rising complexity of cyber attacks aimed at mobile platforms. nCERT has urged for increased user awareness about the installation of untested programs and providing unnecessary permissions. The advise emphasizes the use of multi-factor authentication and regular security upgrades as recommended practices for mitigating threats in a developing digital ecosystem.
