A massive ad fraud operation known as Konfety is using over 250 Google Play decoy apps to hide malicious twins. The campaign leverages a mobile advertising SDK linked to a Russia-based ad network named CaramelAds.

The initial stage of the infection involves a .bat file delivered through social engineering, containing a base64-encoded payload??. This leads to an obfuscated .NET executable file as the next infection stage??.