Security Experts:

Connect with us

Hi, what are you looking for?


Application Security

‘LuckyBoy’ Malvertising Campaign Hits iOS, Android, XBox Users

A recently identified malvertising campaign targeting mobile and other connected devices users makes heavy use of obfuscation and cloaking to avoid detection.

A recently identified malvertising campaign targeting mobile and other connected devices users makes heavy use of obfuscation and cloaking to avoid detection.

Dubbed LuckyBoy, the multi-stage, tag-based campaign is focused on iOS, Android, and Xbox users. Since December 2020, it penetrated over 10 Demand Side Platforms (DSP), primarily Europe-based, with observed campaigns impacting users in the U.S. and Canada.

According to security vendor Media Trust, the malware checks for a global variable ‘luckyboy’ that allows it to detect whether blockers, testing environments, and active debuggers are present on the device. If any is detected, the malware won’t execute.

Should it run on a target environment, the malware executes a tracking pixel programmed to redirect the user to malicious content, including phishing pages and fake software updates.

LuckyBoy was observed operating in bursts: small campaigns are launched on Thursday nights, with only a few compromised tags, and continue throughout the weekend.

Multiple checks are performed as the campaign advances through stages, with extensive code obfuscation and domain exclusion employed, and device-specific information extracted.

The harvested device data includes country code, window size, graphics information, number of CPU cores, battery level, current domain, plugins, the presence of webdriver, and whether touch is available, likely to set up for future attacks.

The malware continuously performs checks to ensure that the value of the global variable remains ‘luckyboy’. Otherwise, the script stops execution and exits after delivering a clean creative to the user.

“LuckyBoy is likely executing tests, probing to gauge their success before launching a broader attack. Campaign was confirmed to execute on tags wrapped with malware blocking code, bypassing these defenses as further evidence that its sophistication is impressive,” The Media Trust notes in a report shared with SecurityWeek.

The security firm says it is currently working with Google and TAG Threat Exchange to isolate the buyer and block them from launching these campaigns.

Related: Recently Disclosed WordPress Plugin Flaws Exploited in Malvertising Operation

Related: U.S. Charges Ukrainian for Malvertising

Related: Tools Used in GhostDNS Router Hijack Campaigns Dissected

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...