Around 125 Android apps tracked user behaviour to run a million-dollar ad scam

Digital frauds can be of many kinds. Phishing, card skimming, crypto-jacking, trojan attacks are just some examples of them. But a Buzzfeed News investigation has shone a light on a completely new kind of fraud which involves some level of intelligence. This fraud was using around 125 popular Android apps to track user behaviour and earn multi-million dollars through ad views/clicks. [caption id=“attachment_5437421” align=“alignnone” width=“1280”] Representational image. tech2[/caption] The modus operandi was as follows:

• A company by the name of ‘We Purchase Apps’ would reach out to popular app developers whose apps were doing well on the Google Play Store and had real users and promise to buy those apps.
• The ownership of the apps that were bought was divided among shell companies distributed over many countries, so as to hide any sort of link with other apps that may have been bought by ‘We Purchase Apps’ which were part of this fraud scheme.
• The user behaviour on these apps was monitored and analysed and this behaviour was programmed into a whole network of bots which ran from servers to mimic the human audience.
• These bots were then made to use the apps, thereby increasing overall app engagement. The bot traffic was mixed with real user traffic to fool the ad system from detecting any fraud.
• Ads viewed by these masked bots earned the app developers money which ran into millions of dollars.
• Technically since bots mimicking human behaviour were viewing these ads, fake traffic was being generated which bypassed fraud detection systems that may have been in place to monitor bot activity, which generally has known patterns.

According to the report, a dozen of these apps compromised ( here’s a list) were targetted at kids or teens. A person with the knowledge of the fraud said that these apps had stolen millions of dollars from brands whose ads were shown to bots instead of real human beings. These apps have been installed on 115 million Android devices. The apps belong to various categories from gaming apps to flashlight apps to selfie apps to healthy eating apps and more. “We are impressed with the complex methods that were used to build this fraud scheme and what’s equally as impressive is the ability of criminals to remain under the radar,” said  Asaf Greiner, CEO of Protected Media which was the fraud detection firm that analysed these apps. According to another fraud detection firm, Pixalate, the fraud being committed on a single app could generate $75 million revenue per annum. But an anonymous source who contacted Pixalate later, said that the amount would actually be 10x Pixalate’s estimate. This fraud puts a big question mark on Play Store ecosystem’s ad-fraud detection technologies. The fairly easy app review process for Google Play Store over Apple’s App Store is clearly demonstrated via frauds like this. Google has sent out an update on its Security Blog that it has taken down the affected apps. It has taken down around 40 of the affected apps. It claims that this operation stole around $10 million from advertisers using Google’s ad network to place ads on the affected websites and apps. “While our internal systems had previously caught and blocked violating websites from our ad network, in the past week we also removed apps involved in the ad fraud scheme so they can no longer monetise with Google. We are continuing to monitor this operation and will continue to take action if we find any additional invalid traffic,” said Google on its blog. You can read about the complete investigation on Buzzfeed News.