Somewhere over the RAINBOW(MIX)
October 2020 by White Ops
Those of us who are of “a certain age” have fond memories of the first time we played what are now considered “retro” video games. Perhaps the biggest thing that sticks out about games of that era is the vibrant, 8-16 bit color palette.
White Ops recently identified a series of 240+ Android apps, engaging in deceptive behavior by using out of context (OOC) ads. These apps make it appear that ads are actually coming from popular applications and social media platforms including Youtube and Chrome. We dubbed this investigation “RAINBOWMIX” as a nod to the colorful games of years ago. The RAINBOWMIX assortment of apps garnered more than 14 million downloads, and at its peak had more than 15 million ad impressions per day.
At first glance, RAINBOWMIX apps seem to work as advertised, although their quality likely leaves users wanting. They are often nothing more than Nintendo (NES) emulators ripped from legitimate sources or low quality games; all of the apps associated with the RAINBOWMIX operation have been removed from the Google Play Store. While not a very sophisticated tactic, the use of packers allowed these apps to bypass certain security protocols.
A packer is software that saves a bit of space and obfuscates the final payload. When the appropriate time comes, the packer will “unpack” what it contains. They are now frequently used for intellectual property protection, be it game assets... or malicious code that tries to bypass antivirus engines.
The code responsible for the out of context ads is located in packages that belong to legitimate SDKs, such as Unity and Android. All of the apps discovered seem to possess fairly low detection ratings across AV engines, largely because of the packer being used.