FriendlyDealer Scam Mimics App Stores to Push Gambling Platforms, Some Impersonate Mr. Beast Affiliations
Published
Key Takeaways
- Sophisticated evasion tactics: The FriendlyDealer scam utilizes PWA technology to bypass standard OS protections, funneling users toward unvetted gambling apps.
- Massive infrastructure scale: Security analysts identified over 1,500 disposable domains hosting fake app stores designed to capture lucrative affiliate commissions.
- Claiming fake affiliations: Of the over 20 gambling apps discovered, one even impersonates YouTube creator Mr. Beast.
A massive social-engineering operation is currently targeting mobile device users by impersonating legitimate apps. Dubbed the FriendlyDealer scam, this sophisticated campaign uses at least 1,500 disposable domains that host a fake Google Play or Apple App Store website to deceive victims into installing unregulated, web-based applications.
The technical architecture of this campaign relies heavily on Progressive Web App (PWA) technology, according to a recent Malwarebytes analysis.
Executing Fake App Stores via PWAs
FriendlyDealer is built as a single, reusable kit that can generate many different fake app listings. When a user interacts with one of the fake app stores, the site detects the underlying operating system and dynamically renders a highly convincing replica of either the Google Play Store or the Apple App Store. Instead of downloading a traditional binary file, the victim installs a PWA.
This deployment method allows the web application to operate persistently in the background through service workers. The network redirects victims to unvetted gambling apps with fabricated reviews. Security researchers identified at least twenty casino brands, including:
- “Tower Rush” (189 deployments)
- “Chicken Road” (97)
- “BEAST GAMES: ICE FISHING” (43), which impersonates YouTube creator Mr. Beast
The fake “Install” button on Android relies on a mobile-only Chrome feature to display a real installation dialog by capturing Chrome’s install prompt. The usual warning is not triggered, and apps installed this way can even appear as “Installed from Google Play Store” in the phone’s settings.
The FriendlyDealer also leverages paid advertising to propagate and includes empty slots for tracking pixels from Google, Yandex, Facebook, and TikTok. This operation focuses entirely on affiliate marketing fraud, earning commissions “every time someone signs up or deposits money on one of these sites.”
Mitigating the Cybersecurity Risks
Because unvetted online gambling platforms operate outside established regulatory frameworks, they lack basic consumer protections, age verification checks, and financial deposit limits. The hostile infrastructure utilizes a centralized telemetry server to track user engagement and capture error logs across its vast network.
To neutralize these fraudulent installations, mobile users must manually delete the associated PWA icon from their device home screens and thoroughly clear all cached site data from their respective web browsers.
Scammers frequently appropriate the Mr. Beast brand, referencing the Internet personality’s new gaming business, Beast Games, and presenting the sites as legitimate collaborations. Last year, fake online gaming websites scammed crypto users, with some of the sites using purported affiliations with Mr. Beast.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular