Skip to main content

That NES emulator you’ve been using to play Super Mario on Android may well be a fraud

NES on Android
(Image credit: robtek / Shutterstock)

Researchers have identified a litany of fraudulent Android applications in circulation, with millions of collective downloads, many of which play on video game-related themes.

According to security firm White Ops, a selection of 240+ Android apps have been engaged in deceptive behaviors using out of context (OOC) ads, designed to mimic those that might be served by popular platforms such as YouTube.

Often, these highly convincing apps took the form of Nintendo Entertainment System (NES) emulators, which provide a way for nostalgic Android users to play retro video games from the late 80s - such as Super Mario Bros.

The elaborate campaign has been dubbed RAINBOWMIX by the researchers responsible for its discovery, in reference to the vibrant color palette of games from the NES era.

At the operation’s peak in May, the fraudulent apps were generating more than 15 million ad impressions per day for their operators.

Fraudulent Android apps

What makes the RAINBOWMIX operation unusual, according to White Ops, is the effort that went into ensuring the apps function at least partially as advertised (increasing the likelihood a user returns) and the ease with which so many of them made their way onto the Google Play Store.

To bypass the various security protocols that guard against fraudulent software, the apps made use of a relatively unsophisticated technique involving packers, described as “software that obfuscates a final payload”.

“The code responsible for the out of context ads is located in packages that belong to legitimate SDKs, such as Unity and Android. All of the apps discovered seem to possess fairly low detection ratings across antivirus engines, largely because of the packer."

The firm was careful to note, however, that its investigation did not detect any fraud directly tied to the legitimate SDKs referenced.

While all software associated with RAINBOWMIX has now been removed from the Google Play Store, the apps have been downloaded more than 14 million times collectively and likely remain on a significant proportion of those devices.

The offending apps are said to monitor when users turn their screen on and off to optimize ad delivery, but TechRadar Pro has sought further clarification over the threat to end users - and will update this article accordingly. 

A full list of the affected applications has been published on the White Ops blog here.