Security Alert: Black Hat ASO Malware

Howdy folks!

Last week I saw a post regularly popping up on twitter. Originally it was in Spanish and I was using G translate to try understand it but luckily the content creators published an English version.

Usually I ignore tweets around app store optimization on twitter, on a normal day it’s roughly the same five people re-tweeting their own content repeatedly through bought or automated tweets to manipulate web search. Needless to say I’m not a fan of that behaviour, it’s not adding value and isn’t good marketing. However, on this occasion this particular piece of content was coming from multiple and, seemingly, legitimate places and I’m glad I took the time to read it.

Shuabang is what exactly?

If you’ve spent any time in the app marketing world you’ll have heard of app store optimisation. If you’ve spent a lot of time in the app marketing industry you’ll know that the rankings can be heavily influenced by the app download metric, i.e. the more downloads the better the ranking. This, of course, has lead to a big industry developing around high volume automated downloads which in China is called Shuabang.

Why we talking about this now?

Security company recently published at report (this is the report appearing on twitter) on this service after finding malicious Shuabang apps in the Play, incidentally Google has removed them already so no need to panic.

The full report is definitely worth reading and can be found on their blog. They’ve got it in Spanish and English.

 The are key points…

I do suggest you read the full thing to get an idea of how clever these sorts of systems are but if you don’t have the patients Elevnpaths drew up some conclusions along with a diagram of the system behaved. Super interesting…if you’re a nerd. The following is a direct quote.


Although the attacker seems to have a known ultimate goal (black ASO), he achieved several interesting milestones by developing these malicious apps:

  • He created or bought 12,567 Google accounts, most of which were automatically created. Account creation requires breaking a CAPTCHA.
  • He achieved a low level understanding of the Google registration and device to account association process. He was able to program them to work automatically. This is not officially documented and there is very little documentation about this.
  • He was able to introduce some 100 malicious apps in Google Play with apparently harmless permissions.
  • He was able to manage a task system that fully optimized the activity of the infected network by distributing download and account association tasks, etc.
  • He was able to use the victims’ devices features to associate them with accounts and thus perpetrate the fraud, as if a fake user was registered in the victim’s device.
  • Although the victim’s account data is not affected, these malicious apps imply taking advantage of resources and violating privacy.

Check out this diagram by Eleven Paths. It show’s how clever but equally how few steps it took to automate account credential theft, automated downloads and reviews.


Why app marketers should be interested in this?

If you’ve read their blog post you’ll understand what length the developer (referred to as ‘he’, not sure if that’s an assumption or not) went to in order to develop a system which would generate ‘fake’ reviews from zombied accounts. It demonstrates the weakness of an app chart which is volume driven and of which the crux of that volume is determined by reviews and downloads which as demonstrated in this study can be manipulated with relative easy.

Challenges for the future

Although Google caught this act of manipulation early on, part of the damage had been done. Future attempts my be caught in the act and hopefully before anyone’s details are taken. However, there are always going to be people out to manipulate and spam search driven marketing channels and it’s up to the two power houses at the top to become smarter to help reduce fraud and deception in their app stores.

I’m not sure how an anti-spam team works but if it was me in charge I’d be constantly trying to break the system. I’m not sure if having an internal team to do this would be efficient. A way around this is  Apple or Google could offer rewards demonstrating how their algorithms could be manipulated through automation. This would rally a huge force of developers to help crack down on holes in the system. All the search engines would need to do is plug the holes and work on improving quality metrics.

Theirs a good chance they won’t do that so…

Another way is to reduce the dependency on the volume and review metrics of the stores or apply a cross reference with other metrics to ensure that it’s a natural growth and not a bot. One way to do this would be to look for social growth or social references over the peak time of downloads. Another is to couple social with press mentions. Look for a broader base of growth. This would imply that there is more that just downloads happening there is a movement, for lack of a better phrase.

Thinking out loud

All of  this is me thinking out loud, Play and the App Store could already be moving towards this way of thinking. Either way it’s my opinion that it can’t come quick enough.

Feel free to comment, call me out, brain storm (like I am) or vent your anger about your app store experiences.

Search and Mobile enthusiast, like to tinker in apps, machine learning, big data and currently Python.

2 replies
  1. Marcelo Brahimllari
    Marcelo Brahimllari says:

    Quality! Its fun to see that Blackhat ASO is 100 times more complicated than Blackhat SEO (where pointing a couple of low quality links to a page is considered wrong)


Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *