HUMAN's Satori Threat Intelligence and Research team recently uncovered a massive ad fraud operation dubbed Konfety, involving threat actors operating 'evil twin' versions of 'decoy twin' apps available on major app marketplaces. The decoy twins on official stores behave normally, while the evil twins conduct ad fraud, install browser extensions, monitor web searches, and sideload malicious code onto devices by abusing an ad SDK called CaramelAds. This novel obfuscation method represents fraudulent traffic as legitimate.