Large Russian illegal gambling distribution network GamblingPRO

Gambling.pro - another big actor in gambling and betting maskware spreading. To get started with them - need to be registered at their website

Main screen

After registering - you can use Telegram bot to generate links for Facebook, TikTok and other traffic source. Those links(and deeplinks) open Google Play apps - maskware.

To get started with bot you should have Telegram client software and account.

You can download client here: https://telegram.org/

Next you can register free account in this messenger.

Once your account registered you can add as friend this address: @GamblingProTGB_bot

Registering in bot using ID from screenshot 1

You will be asked for your unique ID(screenshot 1), in our case it: 41024

Choose app to work with

You can choose any app to work with(3), some apps are flagged with recommendation to not run on Facebook, because they are banned in this ad network

Getting TikTok links

Easiest way to receive links on packages in Google Play is choose - Get TokTok links (4).

Bot answer with direct link to Google Play (5) and links to run attribution with Appsflyer (6 и 7)

Also, this bot spread news about fresh apps and banned once and new gambling/betting offers announcement.

User can also generate Facebook deeplinks with this bot.

With this bot discovered and described now - it's easy to quickly find and remove maskware from this actor.

By the way, seems like Gambling Pro, same like Multiapp haven't own coders buying such apps from different creators, instead of Multiapp - it's not a SaaS service, but affiliate network, earning money not from apps themselfes, but on affiliate offers price cut. So they are client of maskware app developers.

Current(12-21-2020) live samples from Gambling Pro:

https://play.google.com/store/apps/details?id=com.heathenssquad.fera

https://play.google.com/store/apps/details?id=com.manearomi.essa

https://play.google.com/store/apps/details?id=com.dgwithout.napp

https://play.google.com/store/apps/details?id=com.newtips.fromdg

Network analysis of those files /smartanimo.com/

All of the above applications have one characteristic feature - the presence of a request to smartanimo.com or other links redirecting to it in the end.

smartanimo.com is the clearest example of a cloaking link. When you try to go to this site, you will get an error message, a 404 code, which means that the site does not have any other useful load. To display the functionality of the site, you need special links, namely those that are built into applications. An example of such a link: https://smartanimo.com/LXgGWT at 18.12.20 it is still operational. When you try to use it, you will be redirected to an empty page if the user's IP does not belong to the CIS region or to the casino's page if the IP belongs to the CIS region.

There are some applications that don't have any references to smartanimo.com in their code, but they still use it with other cloaked links, thus creating an additional "double bottom" when checking the application. Because of these tricks, code analysis is not an effective way to search for applications of this family. The best way to do this is to analyze traffic using a VPN.

Charles software and gambling landing (Full size)

Apps list with such URLs techniques:

Gambling landing analysis

Скриншот после прокрутки колеза казино

They offering 150% bonus on first deposit.

After registration

Account top up

Windows asking to pay via 3rd part payment provider(not Google Pay)

Conclusion

Applications that have such a link in their functionality cleverly hide their functionality, but do not be fooled by this. The mere presence of this link indicates that the application has hidden functionality and it will be shown only when the site needs it.

Gambling.pro always have fresh apps in their Telegram bot - we'll report all fresh updates on daily bases.