Google Busts Ad Fraud Network Bringing in Millions via Android Apps
Ad networks rely on automated processes that buy and sell advertisements, which pay out based on how many people saw or interacted with them. However, this system also makes those networks vulnerable to abuse. In a blog post this week, Google said that's exactly what happened with an ad fraud network that relied on more than 125 popular Android apps to generate fake page views for their operators, so they could rake in the payments from ads that were never actually seen.
BuzzFeed discovered the ad fraud network and revealed it to Google in mid-October. The outlet reported that this network was buying apps from developers, transferring ownership to seemingly unrelated companies and then funneled payments to an ad fraud scheme "connected to a network of front and shell companies in Cyprus, Malta, British Virgin Islands, Croatia, Bulgaria and elsewhere." Purchased apps were also used to train bots so they would appear to act like humans, evading various fraud prevention tools and letting the operators make their money in secret.
Google explained how the fraud was perpetrated: "In similar fashion to other botnets, this operates by creating hidden browser windows that visit web pages to inflate ad revenue. The malware contains common IP-based cloaking, data obfuscation and anti-analysis defenses. This botnet drove traffic to a ring of websites created specifically for this operation and monetized with Google and many third party ad exchanges." The company estimated that the operators brought in "under $10 million" for their trouble, with most of it coming "from non-Google, third-party ad networks."
BuzzFeed said that AppBrain, a mobile analytics company, estimated that all of the apps involved with this scheme had a collective 115 million users. Affected software ranged from games--the most popular category--to utilities like smartphone flashlights and nutrition apps. An app's intended audience didn't seem to matter; several of the implicated apps were made for children. The operators of this ad fraud network likely just kept an eye on which apps were become popular, offered to buy out those apps' developers and then quickly folded them into the network.
These apps were all found in the Play Store. This is the latest issue to raise questions about companies' ability to monitor their distribution platforms for bad actors. Apple had numerous problems with the Mac App Store earlier this year, and Google has long struggled to keep the Play Store clear of malicious software. The point of these platforms is to protect smartphone owners from apps that want to steal their information, spy on them, or otherwise abuse their trust; yet, more than 125 apps used by about 115 million people contributed to this ad fraud network.
It might be hard to shed a tear for the marketers affected by this scheme, but it also had a direct effect on the apps' users. Monitoring someone's activity without disclosure or consent to train bots how to mimic human behavior is a privacy violation. Some of these schemes can also affect device performance by opening these invisible web browser windows to "view" so many ads. It also shows that even apps with millions of users can have serious privacy and security flaws that go unnoticed until someone finally decides to connect the dots.
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Nathaniel Mott is a freelance news and features writer for Tom's Hardware US, covering breaking news, security, and the silliest aspects of the tech industry.
-
TMTOWTSAC Title says, "Google Busts Ad Fraud Network."Reply
Article contents say "BuzzFeed discovered the ad fraud network and revealed it to Google in mid-October."
And when you're talking about harm to the users, there's no mention of the data usage hidden ad viewers eat up. That causes direct monetary damages to people on limited data plans. -
rantoc Aww google lost some money on their adds their showing up everyone's arse… I feel so darn sorry for them =PReply