Are “Offerwalls” siphoning your personal information?

A relatively new development in app advertising has a concerning feature. It leeches much of the same information that many Android Trojans also steal. Through an app promotion campaign, a new feature called “offerwalls” are used by Pay Per Install (PPI) services to promise further adoption and revenue for app developers. But what is the real danger? It is found in the way these services uniquely identify users and the information they collect.

What is Pay Per Install?

Pay Per install within the Android App world, is a service offered by specialized advertisers to app developers with the intention of further exposing their apps to a larger audience. Many services exist, such as Tapjoy and Everbadge, which, in the latter case, promises to increase app revenue by “50-400%”. These sites use a particular method of tracking users. App developers need to enable this tracking somehow. In most cases, an SDK (software development kit) must be installed. Tracking code is added to the developer’s application, and that code is supplied by the PPI site.

What is an “Offerwall”?

To further entice users to keep playing games, or to try new apps, the “offerwall” was invented where developers can offer points, virtual goods, or even currencies. In many cases, this is simply a place where users who complete certain amounts of a game, or complete various tasks, will be awarded a badge or some type of virtual reward as well as advertising other apps. This offerwall is displayed within the downloaded application. For each task accomplished, new badges are attained. This is only one use case, and a far more familiar version of this type of tactic can be found on sites like Facebook, in games like Farmville, or similar.

What information is shared?

For these types of campaigns to work, the users of the apps must be uniquely identified in some way. A unique ID is assigned to each user and these ID’s are sent back to the advertising service. In many cases these apps request a large amount of personal data such as Contact data, Calendar events, the ability to send email, and the ability to send SMS messages. How much of this data is collected by the advertisers as well as how it is used, is unclear, and the possiblilty that this data is collected by more than just the app developer is never explicitly stated.

What can this information be used for?

This type of data, along with the ability to uniquely identify specific phones presents an interesting problem for end users. It’s a great example of why users need to be so careful when examining requested permissions by particular applications before they install them. It is unclear why many of these apps would require the ability to send SMS messages. Many of these apps also use geographic location identification. When third parties are able to identify a user, their contacts and their precise location, user safety, privacy and anonymity are at risk.

What can I do about it?

Examine app permission requests very carefully. If apps contain “offerwalls” treat them as suspect as they may be siphoning off data you never intended to share. Read reviews from other users carefully, and if you already have these apps installed, monitor your personal information carefully as well. With the explosion in popularity of mobile apps, and the consequent advertising industry following it, it is becoming increasingly hard to define what constitutes spyware. Buyer beware.

Are “Offerwalls” siphoning your personal information?

Your email address will not be published. Required fields are marked *



APT trends report Q2 2021

This is our latest summary of advanced persistent threat (APT) activity, focusing on significant events that we observed during Q2 2021: attacks against Microsoft Exchange servers, APT29 and APT31 activities, targeting campaigns, etc.

LuminousMoth APT: Sweeping attacks for the chosen few

We recently came across unusual APT activity that was detected in high volumes, albeit most likely aimed at a few targets of interest. Further analysis revealed that the actor, which we dubbed LuminousMoth, shows an affinity to the HoneyMyte group, otherwise known as Mustang Panda.

WildPressure targets the macOS platform

We found new malware samples used in WildPressure campaigns: newer version of the C++ Milum Trojan, a corresponding VBScript variant with the same version number, and a Python script working on both Windows and macOS.

Ferocious Kitten: 6 years of covert surveillance in Iran

Ferocious Kitten is an APT group that has been targeting Persian-speaking individuals in Iran. Some of the TTPs used by this threat actor are reminiscent of other groups, such as Domestic Kitten and Rampant Kitten. In this report we aim to provide more details on these findings.

Subscribe to our weekly e-mails

The hottest research right in your inbox