Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

RainbowMix Apps Generate $150,000 In Daily Ad Fraud Profit

RainbowMix Apps Generate $150,000 In Daily Ad Fraud Profit

A massive fraudulent advertising business disrupted recently perpetrated through more than 240 apps in Google Play generated profits that could amount to more than $150,000 per day.

For months, the army of deceptive apps, mostly low-quality games or stolen Nintendo Entertainment System (NES) emulators, was present in the official Android store, raking over 14 million installations.

While their behavior was not malicious, they disrupted the user experience by displaying out of context (OOC) ads, which appear to come from legitimate apps on the phone.

Intrusive ads turn a good profit

Security researchers at bot mitigation and fraud prevention company White Ops named this assortment of apps RainbowMix, due to the 8-16 bit games distributing the invasive ads.

OOC ads are not new but have become widespread this year and appear on the screen when the user is not active in the app that generates them.

In the case of RainbowMix, the apps pretend to be from popular apps and social media platforms like YouTube and Chrome.

Also Read: What Legislation Exists in Singapore Regarding Data Protection and Security?

An example is below, courtesy of White Ops, where the ad pretends to be from YouTube and takes over the entire phone screen:

Gabriel Cirlig, the lead researcher on RainbowMix, says that at its peak, this operation garnered more than 15 million ad impressions per day. After August 21, White Ops saw this many daily ad impressions consistently, from the RainbowMix app collective.

Although it is difficult to translate this into profit, even if the fraudsters received one cent per view, they would make at least $150,000 on the best days.

In a paper today, the researcher says that the code for the OOC ads was present in packages from legitimate Android and Unity software development kits (SDKs).

This helped them keep mostly undetected when inspected by researchers or static analysis engines. However, what contributed to a low detection rate was the use of the Tencent Legu packer.

“All RAINBOWMIX apps are packed with various versions of the Tencent Legu packer. While some of the apps are detected as malicious on multi-scanning platforms, these detections are often vague and only relate to the use of the specific packer, and not their behavior when unpacked” – White Ops

Taking a closer look at the apps, Cirlig noticed in their manifest (a document with build details about the app) that services and receivers responded to more triggers than normal:

system boot connection changes charging cable plug in/outs app installations

The researcher says that the code responsible for this resided in familiar packages but had no purpose in the apps. He believes that it was an obfuscation layer designed to create confusion during analysis.

The RainbowMix apps had code that tracked the current state of the screen (on/off). This way, the delivery of the ads occurred at the right time, and the impressions were valid, increasing the revenue.

Also Read: The Importance Of Knowing Personal Data Protection Regulations

The command and control (C2) server instructing the RainbowMix app to display the OOC ad was a hacked domain (pythonexample[.]com) that no longer serves content but is active until February 27, 2021.

Cirlig found that a JSON payload was downloaded from the C2 server immediately after installing a RainbowMix app. The file determined the ad network and the display frequency on the phone (every 10 minutes).

The RainbowMix apps were present in the Android Play store for up to a year and Google promptly removed all of them at the end of August following White Ops’ responsible reporting.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us