A large-scale social engineering campaign called FriendlyDealer has been identified operating across 1,500+ domains that impersonate the Google Play Store and Apple App Store. The campaign uses a single reusable kit that detects the user's device and displays a convincing fake app store page, then tricks users into installing Progressive Web Apps (PWAs) disguised as gambling apps. The kit abuses Chrome's PWA install prompt on Android so no 'unknown sources' warning appears. Once installed, the fake app redirects users to unregulated casino sites via affiliate links, earning commissions when users sign up or deposit money. The operation does not steal credentials or install traditional malware — it profits entirely from gambling affiliate payouts. Code artifacts including Russian-language comments and Yandex Metrica integration suggest a Russian-speaking development context. Remediation steps for both Android and iOS are provided, along with indicators of compromise.
Table of contents
One kit, dozens of apps, built to mimic real app storesYou’re not installing an appOne domain ties it all togetherFollow the money: affiliate commissions, not malwareWho’s behind this?A familiar trick with a different payoffWhat to do if you installed one of these appsIndicators of Compromise (IOCs)Sort: