Ad networks rely on automated processes that buy and sell advertisements, which pay out based on how many people saw or interacted with them. However, this system also makes those networks vulnerable to abuse. In a blog post this week, Google said that's exactly what happened with an ad fraud network that relied on more than 125 popular Android apps to generate fake page views for their operators, so they could rake in the payments from ads that were never actually seen.
BuzzFeed discovered the ad fraud network and revealed it to Google in mid-October. The outlet reported that this network was buying apps from developers, transferring ownership to seemingly unrelated companies and then funneled payments to an ad fraud scheme "connected to a network of front and shell companies in Cyprus, Malta, British Virgin Islands, Croatia, Bulgaria and elsewhere." Purchased apps were also used to train bots so they would appear to act like humans, evading various fraud prevention tools and letting the operators make their money in secret.
Google explained how the fraud was perpetrated: "In similar fashion to other botnets, this operates by creating hidden browser windows that visit web pages to inflate ad revenue. The malware contains common IP-based cloaking, data obfuscation and anti-analysis defenses. This botnet drove traffic to a ring of websites created specifically for this operation and monetized with Google and many third party ad exchanges." The company estimated that the operators brought in "under $10 million" for their trouble, with most of it coming "from non-Google, third-party ad networks."
BuzzFeed said that AppBrain, a mobile analytics company, estimated that all of the apps involved with this scheme had a collective 115 million users. Affected software ranged from games--the most popular category--to utilities like smartphone flashlights and nutrition apps. An app's intended audience didn't seem to matter; several of the implicated apps were made for children. The operators of this ad fraud network likely just kept an eye on which apps were become popular, offered to buy out those apps' developers and then quickly folded them into the network.
These apps were all found in the Play Store. This is the latest issue to raise questions about companies' ability to monitor their distribution platforms for bad actors. Apple had numerous problems with the Mac App Store earlier this year, and Google has long struggled to keep the Play Store clear of malicious software. The point of these platforms is to protect smartphone owners from apps that want to steal their information, spy on them, or otherwise abuse their trust; yet, more than 125 apps used by about 115 million people contributed to this ad fraud network.
It might be hard to shed a tear for the marketers affected by this scheme, but it also had a direct effect on the apps' users. Monitoring someone's activity without disclosure or consent to train bots how to mimic human behavior is a privacy violation. Some of these schemes can also affect device performance by opening these invisible web browser windows to "view" so many ads. It also shows that even apps with millions of users can have serious privacy and security flaws that go unnoticed until someone finally decides to connect the dots.