Risky Bulletin: Kaleidoscope ad fraud network infects 2.5m devices a month - Risky Bulletin

Summary6 min read

Risky Bulletin: Kaleidoscope Ad Fraud Network Infects 2.5 Million Devices a Month

Release Date: May 11, 2025 | Host: Clair Aird | Prepared by: Catalyn Kimpanu

Introduction

In the latest episode of Risky Bulletin, host Clair Aird delivers a comprehensive update on recent cybersecurity threats and law enforcement actions. From sophisticated ad fraud networks to significant legal settlements involving tech giants, this episode covers a wide spectrum of critical issues impacting the digital landscape. Below is a detailed summary of the key topics discussed.

1. Kaleidoscope Ad Fraud Network Targets Millions of Devices

Clair Aird opens the episode by highlighting a major development in mobile ad fraud. The Kaleidoscope botnet is reported to infect over 2.5 million Android devices each month.

"A mobile ad fraud network is installing ad fraud software on more than 2.5 million Android phones every month." [00:04]

The operators behind Kaleidoscope cleverly distribute legitimate, ad-supported apps via the Google Play Store while also offering fraud-enabled versions through third-party stores. These malicious apps deceitfully generate ad impressions that never occur, funneling payments under the guise of legitimate app activity. This method mirrors the tactics previously employed by the Confetti botnet last year, marking Kaleidoscope as the second network to adopt such sophisticated techniques.

2. German Authorities Crack Down on X Cryptocurrency Mining Service

In a significant crackdown, German authorities have seized the operations of the X cryptocurrency mining service. According to blockchain investigations firm Elliptic, a staggering 98% of the funds processed through X were associated with criminal activities.

"Officials say they seized 8 terabytes of data and 34 million euros worth of assets." [00:04]

The seizure was expedited following the service's announcement to shut down, indicating a swift response by law enforcement to disrupt illicit financial operations.

3. U.S. Takes Down the AnyProxy Botnet

The FBI has successfully dismantled the AnyProxy botnet, a notorious proxy service, by seizing its domain infrastructure. This operation led to charges against three Russian nationals and one Kazakh individual, accused of hacking home routers to operate the botnet.

"They're believed to have made more than $46 million over two decades, according to Lumen's Black Lotus Labs." [00:04]

With over 7,000 proxies available daily, the AnyProxy botnet facilitated vast amounts of malicious activity, underscoring the scale and longevity of this cybercriminal enterprise.

4. NATO's Cyber Chief Addresses Russian Cybercriminal Collaborations

Mart Norma, NATO CCDCOE director, provided insights into the collaborative efforts between Russian cybercriminals and the Kremlin during an interview with Estonian TV.

"The Kremlin uses criminal groups to make attribution difficult. He said the aim is to damage infrastructure, steal money and reduce citizens' trust in local government." [00:04]

This strategic alliance poses significant threats, aiming to undermine critical infrastructure and erode public trust in governmental institutions.

5. iClicker Platform Compromised with Malicious CAPTCHA

A security breach in the iClicker student engagement platform led to the insertion of a malicious CAPTCHA on U.S. university websites. This deceptive CAPTCHA instructed users to execute commands in the Windows command prompt, posing potential security risks.

"The captcha was live on all iClicker portals for five days in April." [00:04]

The attack remained undetected for five days, highlighting vulnerabilities in widely used educational technologies.

6. Massive Fraudulent Trades in Japanese Brokerage Accounts

Recent cyberattacks on Japanese brokerage firms have resulted in nearly $2 billion in fraudulent trades. Hackers manipulated stock prices by accessing and exploiting account holders' assets.

"More than 6,000 accounts have been hacked this year. The volume of trades is triple the $700 million figure that was initially reported in April." [00:04]

Japanese financial authorities are grappling with the scale of these breaches, emphasizing the need for enhanced security measures in the financial sector.

7. Data Theft from Pearson Education Platform

Early May witnessed a data breach at the Pearson education platform, where hackers accessed and stole user data. Pearson has indicated that most of the compromised information was outdated, mitigating some potential damages.

"This is the company's second security breach this year." [00:04]

The recurrence of such incidents raises concerns about ongoing vulnerabilities within educational institutions' digital infrastructures.

8. Google to Pay $1.4 Billion Settlement Over Privacy Violations

Google has agreed to a $1.4 billion settlement with the state of Texas concerning the unauthorized collection of biometric data. This settlement concludes two lawsuits filed by Texas in 2022.

"The settlement agreement puts an end to two lawsuits filed by Texas in 2022." [00:04]

Previously, the state secured an identical settlement from Meta in 2024 for unauthorized facial scans, signaling a trend of holding large tech companies accountable for privacy infringements.

9. Wikimedia Foundation Sues the UK Government Over Online Safety Act

The Wikimedia Foundation has initiated legal action against the UK government in response to the Online Safety Act. The law mandates the verification of Wikipedia users' identities starting next year, a move Wikimedia argues threatens user privacy and safety.

"The foundation said, 'Privacy is essential to keeping users safe. Some users rely on anonymity in countries with authoritarian governments.'" [00:04]

This lawsuit underscores the tension between regulatory efforts to increase online safety and the protection of user anonymity and privacy.

10. Philippine Authorities Raid International Cybercrime Syndicate

In Makati City, Philippine authorities detained 31 individuals, predominantly Chinese nationals, involved in an international online scam center. This operation was carried out under a presidential directive aimed at dismantling cybercrime networks operating within the country.

"Officials said they were acting on a presidential directive to crack down on international cybercrime syndicates that have been setting up in the country." [00:04]

This crackdown represents the Philippines' commitment to combating cybercriminal activities hosted within its borders.

11. Irish Man Sentenced for Running a Cybercrime Operation

Suleman Mazar, a 43-year-old from Ireland, has been sentenced to two years in prison on multiple cybercrime charges. Mazar operated a website distributing malware, ransomware, and counterfeit financial data. Additionally, he has pled guilty to money laundering.

"He’s also pleaded guilty to money laundering." [00:04]

His arrest in 2022 reflects ongoing efforts to prosecute individuals facilitating cyber threats and financial crimes.

12. Exposure of Over 8,000 Automated Fuel Tank Gauge Systems

A security lapse has left more than 8,000 automated fuel tank gauge systems exposed on the Internet without proper authentication. These systems monitor fuel tank levels, temperature, and pressure, presenting significant security risks if accessed maliciously.

"Most of the exposed systems are from Vitaroot, a major supplier in the US. Security organization divd says it's notified vendors and is working to advise on proper security controls." [00:04]

The exposure highlights the critical need for safeguarding industrial control systems against unauthorized access.

13. Google Enhances Chrome Security with On-Device AI for Scam Detection

Google announced that its Chrome browser will integrate on-device Large Language Models (LLMs) to identify and alert users about potential tech support scams more swiftly.

"Google says On Device LLMs will help it detect these sites faster." [00:04]

This advancement aims to reduce the time taken to add scams to the safe browsing system, a process that previously could take hours. The feature is expected to roll out with Chrome 13037 later this month, enhancing user protection against evolving cyber threats.

Conclusion

This episode of Risky Bulletin underscores the multifaceted nature of contemporary cybersecurity challenges, from sophisticated ad fraud networks and cryptocurrency-related crimes to significant legal actions against major tech companies. The continuous evolution of cyber threats necessitates proactive measures and robust responses from both authorities and technology providers to safeguard digital ecosystems worldwide.

For more detailed insights and updates, subscribe to Risky Bulletin and stay informed on the latest in cybersecurity.

Loading summary

Transcript1 lines

[00:04]
Clair Aird
The Kaleidoscope ad fraud network infects two and a half million devices a month. Germany seizes the ECKS crypto mining service, the US takes down the any proxy botnet and Chrome will use on device AI to detect tech support scams. This is the risky bulletin prepared by Catalyn Kimpanu and read by me Clair Aird today. Today is the 12th of May and this podcast episode is brought to you by Corelight. A mobile ad fraud network is installing ad fraud software on more than 2.5 million Android phones every month. The operators of the Kaleidoscope botnet have developed and published legitimate ad supported apps to Google's Play Store, but it also distributes ad fraud enabled versions of those apps via third party stores. These fraud enabled apps collect payment for ad impressions that never happened, with the fraudulent impression appearing to come from the legitimate apps. Kaleidoscope is the second ad fraud network to adopt this technique. The Confetti botnet first used it last year. In other news, German authorities have seized the service of the X cryptocurrency mining service. Blockchain investigations Firm Elliptic says 98% of funds that passed through the service were linked to criminal activity. German police expedited the seizure after the mixer announced it would shut down. Officials say they seized 8 terabytes of data and 34 million euros worth of assets. The FBI has seized the AnyProxy botnet's domain infrastructure. Authorities have also charged three Russians and a Kazakh national with allegedly running the botnet. The four are accused of hacking home routers and using them to operate the proxy service. They're believed to have made more than $46 million over two decades, according to Lumen's Black Lotus Labs, and the botnet had more than 7,000 proxies available on any given day. NATO's cyber chief says Russian cybercriminals are working with the Kremlin to cause havoc. NATO CCDCOE director Mart Norma told Estonian TV that the Kremlin uses criminal groups to make attribution difficult. He said the aim is to damage infrastructure, steal money and reduce citizens trust in local government. A threat actor has hacked the student engagement platform iClicker and added a malicious CAPTCHA to US university websites. The captcha instructed visitors to copy and paste commands into the Windows command prompt. The captcha was live on all iClicker portals for five days in April. Recent hacks against Japanese brokerage accounts have resulted in fraudulent trades of close to $2 billion. Hackers have been breaking into accounts to manipulate stock prices, using the account holders assets. Japanese financial authorities say. More more than 6,000 accounts have been hacked this year. The volume of trades is triple the $700 million figure that was initially reported in April. Meanwhile, hackers have stolen data from education platform Pearson. The incident took place in early May, and the company says it appears most of the stolen data was old. This is the company's second security breach this year. Google will pay Texas a $1.4 billion settlement for collecting biometric data and tracking users, geolocation and incognito sear researchers. The settlement agreement puts an end to two lawsuits filed by Texas in 2022. The state also secured a $1.4 billion settlement from Meta last year after the company collected facial scans from users without their permission. The Wikimedia foundation has filed a lawsuit against the UK government over its implementation of the Online Safety Act. The law will require Wikimedia to verify the identity of Wikipedia users starting next year. The foundation privacy is essential to keeping users safe, it said. Some users rely on anonymity in countries with authoritarian governments. Philippine authorities have detained 31 people in a raid of an online scam centre in Makati City. All suspects are foreigners and most are Chinese nationals. Officials said they were acting on a presidential directive to crack down on international cybercrime syndicates that have been setting up in the country. Irish authorities have sentenced a 43 year old man to two years in prison on cybercrime charges. Suleman Mazar ran a website that sold malware, ransomware and fake bank and credit card data. Officials arrested Mazzar in 2022. He's also pleaded guilty to money laundering. More than 8,000 automated fuel tank gauge systems are exposed on the Internet without authentication. The systems automate the monitoring of fuel tank levels, temperature and pressure. Most of the exposed system from Vitaroot, a major supplier in the US security organisation divd, says it's notified vendors and is working to advise on proper security controls. And finally, Google will use on device LLMs to detect potential tech support scams and alert Chrome users. The company says On Device LLMs will help it detect these sites faster. The current process of adding scams to the safe browsing system can take hours. The new feature is scheduled to arrive with Chrome 13037 later this month. And that is all for this podcast edition. Today's show was brought to you by our sponsor Corelight. Find them@corelight.com thanks for your company.