Satori Threat Intelligence Alert SlopAds Covers Fraud with L...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.humansecurity.com/learn/blog/satori-threat-intelligence-alert-slopads-covers-fraud-with-layers-of-obfuscation/
• Blog Title: Satori Threat Intelligence Alert: SlopAds Covers Fraud with Layers of Obfuscation
• Suggested Section: Generic Methodologies & Resources > Basic Forensic Methodology > Specific Software/File-Type Tricks > PNG tricks (add subsection: Android steganographic APK loader + dynamic code loading and hidden WebView clicker)

🎯 Content Summary

What this post covers
HUMAN’s Satori Threat Intelligence team details “SlopAds,” a large Android ad/click‑fraud operation coordinated across at least 224 Google Play apps (38M+ installs across 228 countries/territories). At peak, SlopAds generated ~2.3B bid requests/day, with traffic heaviest in the United States (30%), India (10%), and Brazil (7%). The campaign is classified under the IVT Tax...

🔧 Technical Details

Attribution‑gated activation to evade review: Only enable fraud for installs attributed to paid ads by checking for a mobile marketing attribution tag in network traffic. Keep organic installs benign to pass store review and basic QA.

Steganographic module delivery in images: Hide an APK across multiple PNG files (e.g., delivered in a ZIP), decrypt and reassemble on device, then dynamically load the resulting module to avoid static scanning of the base app.

Hidden WebView telemetry and environment gating: Use a headless/hidden WebView to POST device/browser data, then check for emulator/root/debug signals. Abort when high analysis risk is detected to reduce exposure.

Redirect‑based referrer sanitization: Route hidden WebView traffic through multi‑hop redirects that mutate tracking parameters, making ad requests appear legitimate and obscuring the fraud source.

View...

🤖 Agent Actions

I analyzed the blog and the HackTricks repository, found the best place to add the new content, and implemented the update.

What I updated

• File: src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/png-tricks.md

What I added

• New subsection: “Android steganographic APK loader + dynamic code loading and hidden WebView clicker” that abstracts and generalizes the SlopAds techniques into actionable DFIR and offensive/defensive methodology:
  • PNG steganography triage and extraction
    • Practical workflow for appended-after-IEND payloads, custom ancillary chunks, and LSB-based stego
    • Tooling: pngcheck, binwalk, exiftool, zsteg
    • A Python extractor for data-after-IEND trailers, guidance for reassembling multi-part APKs from several PNGs, and fixing with zip -FF
    • Internal ref to ZIP anti-reversing tricks page for related APK/ZIP header manipulations
  • Detecting and hooking dynamic code loading
    • Frida hooks for DexClassLoader and native lib loads (System.load/System.loadLibrary/Runtime.load)
    • Internal ref to the dynamic code loading/RCE page for background and broader auditing methodology
  • Hidden WebView telemetry and click automation
    • Frida hooks for WebView constructors, loadUrl, loadDataWithBaseURL, evaluateJavascript to surface hidden activity
    • Example JavaScript that clicks only viewable ad elements (bounding-rect/viewport checks) to mirror the campaign’s viewability-aware clicks
    • Internal ref to WebView attack surface and security page
  • Anti-analysis gates to expect (debugger, emulator, root checks; string encryption; packed JNI) with internal ref to Android anti-instrumentation/pinning bypass page
  • DFIR indicators and detections for network and host/process activity (Firebase Remote Config → ZIP of PNGs, hidden WebView to H5 cashout pages with multi-hop redirects, image-to-binary reconstruction → DexClassLoader, evaluateJavascript bursts)
  • References section added at the end with:
    • The SlopAds blog URL
    • Firebase Remote Config
    • Android dynamic code loading risks
    • pngcheck, binwalk, zsteg

Internal cross-references (validated relative paths)

• zips-tricks.md (same directory)
• ../../../../mobile-pentesting/android-app-pentesting/insecure-in-app-update-rce.md
• ../../../../mobile-pentesting/android-app-pentesting/webview-attacks.md
• ../../../../mobile-pentesting/android-app-pentesting/android-anti-instrumentation-and-ssl-pinning-bypass.md

Why this location

• The techniques pivot on PNG steganography to deliver an APK/DEX, which aligns with Specific Software/File-Type Tricks > PNG tricks. The update also references related Android app pentesting pages via internal refs instead of duplicating content.

No other modifications were necessary

• WebView and dynamic code loading are already well-covered in mobile-pentesting; I linked to those instead of duplicating content.

All changes are implemented directly in the repo.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

📚 Repository Maintenance

• MD files processed: 876
• MD files fixed: 1

All .md files have been checked for proper formatting (headers, includes, etc.).

🗑️ File Cleanup

• searchindex.js removed: This auto-generated file has been removed to prevent conflicts.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.humansecurity.com/learn/blog/satori-threat-intelligence-alert-slopads-covers-fraud-with-layers-of-obfuscation/

Content Categories: Based on the analysis, this content was categorized under "Generic Methodologies & Resources > Basic Forensic Methodology > Specific Software/File-Type Tricks > PNG tricks (add subsection: Android steganographic APK loader + dynamic code loading and hidden WebView clicker)".

Repository Maintenance:

• MD Files Formatting: 876 files processed (1 files fixed)

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0