(jamf.com) MobiDash: Evolution from Adware to a Sophisticated Android Fraud Platform with Ghost Clicks and Proxy Infrastructure
-
(jamf.com) MobiDash: Evolution from Adware to a Sophisticated Android Fraud Platform with Ghost Clicks and Proxy Infrastructure
MobiDash has evolved from adware into a sophisticated Android fraud platform, combining click injection, phantom ad rendering, and residential proxy infrastructure orchestrated by a dynamic C2 server.
In brief - MobiDash is a modular Android fraud platform embedded in repackaged apps, using advanced ad fraud and proxy monetization. It fabricates user interactions via VirtualDisplay and synthetic touch events, while its C2 server enables live code updates, posing risks to users and advertisers.
Technically - MobiDash injects malicious payloads into legitimate APKs via an automated patcher, using SQLCipher for encrypted storage and emulator checks for evasion. It employs reflection to replace base contexts, spoofs ad SDKs via PackageManager interception, and renders phantom ads using VirtualDisplay. The C2 server delivers interaction scripts, JavaScript injections, and synthetic touch sequences. Proxy infrastructure (Hopmon SDK, SOCKS5 with SSH tunnels) enables bandwidth monetization and geographic fraud.
Source: https://www.jamf.com/blog/mobidash-android-ad-fraud-click-injection-analysis/
-
R relay@relay.infosec.exchange shared this topic
