Oracle discovered a mobile fraud operation plaguing 10 million app downloads, and it shows how pervasive scammers still are for advertisers

Advertisement
Oracle discovered a mobile fraud operation plaguing 10 million app downloads, and it shows how pervasive scammers still are for advertisers

Android

Shutterstock

More than 400 Android apps were discovered in Oracle's findings.

Advertisement
  • Oracle has identified a new mobile app-fraud operation it dubbed DrainerBot that has infected more than 400 popular Android apps like Draw Clash of Clans and Perfect365.
  • Ad fraud continues to be a challenge for advertisers as scammers get more sophisticated with their tactics.
  • All told, Oracle estimates that the infected apps are costing mobile users extra data charges to the tune of $100 per year.

Fraud in digital advertising still runs rampant, particularly in mobile apps.

Last year, Oracle started noticing unusual browsing activity in more than 400 Android apps using a tried-and-true fraud tactic: Domain spoofing where scammers create hidden web pages to run ads that consumers never see. The tactic has been around for years in websites and more recently in mobile apps and connected TVs, though the mobile app-fraud operation differs in a couple of ways.

Complimentary Tech Event
Transform talent with learning that works
Capability development is critical for businesses who want to push the envelope of innovation.Discover how business leaders are strategizing around building talent capabilities and empowering employee transformation.Know More

For one, it plugs into popular apps like Perfect365, an augmented reality app that lets users virtually try on makeup and app-based games like "Draw Clash of Clans" and "Solitaire: 4 Seasons." Typically, fraudsters target less popular apps that consumers are tricked into downloading. All told, Oracle estimates that the scheme that it dubbed "DrainerBot" has affected more than 10 million devices, making it one of the larger fraud operations in recent years. The operation was detected by Oracle's digital analytics arm Moat and its security-focused firm Dyn.

Read more: Mobile ad fraud continues to surge as scammers get smarter -- with in-app fraud increasing by as much as 800% this year

Advertisement

Because fake video impressions are served in the background of the infected apps, there's also a direct connection to user experience and consumers' phone bills, said Eric Roza, SVP of Oracle Data Cloud.

Specifically, Oracle said that the scheme slows loading speeds of websites caused from ad activity running in the background of apps and is adding charges to phone bills from data. Oracle estimates that the scheme drains 10 gigabytes of data per month from infected apps, costing people the equivalent of roughly $8 a month (or $100 a year) in added data overage charges.

"We're used to the fact that marketers are defrauded and paying for ad impressions that no one is seeing," Roza said. "What's unique here is, this is the largest-scale fraud operation that we're aware of. What's especially nefarious here is that once these apps are loaded on your phone, you don't actually need to log in, and they can be running very high bandwidth video ad impressions in the background."

Consumers are getting hit with additional data costs

Here's how DrainerBot works: Oracle identified a Netherlands-based firm called Tapcore as the tech company distributing the apps. Tapcore provides app developers with software development kit (or SDK) technology that helps publishers find scammers who create illegal copies of their apps. The company's technology then runs ads within the illegal apps, which allows publishers to track down the illegal app copies. According to Tapcore's website, the company powers more than 3,000 apps though Oracle only tracked 400 apps.

"That sounds like a fair value prop and that's why so many app developers large and small end up installing it," said Dan Fichter, Moat's chief technology officer.

Advertisement

Tapcore and Google, whose Google Play store houses the apps in question, did not respond to press inquiries.

According to Oracle, Tapcore's technology runs ads in all apps, regardless of whether they're legitimate apps or not. In some cases, users paid for an ad-free version of the app but video ads continued to run in apps within hidden web browsers. Once an app developers integrates Tapcore's code technology, it reaches out to an ad server to download additional code, which runs the domain spoofing continuously.

DrainerBot's scheme is particularly sophisticated because it targets inventory that ad verification companies think is real inventory on a legitimate publisher.

Ad fraud has been a hot-button topic for years and while some estimates from firms like White Ops say that fraud issues will become less problematic in coming years, fraudsters also constantly refine their tactics to get stealthier, making it hard for advertisers to ever completely eliminate.

Two operations dubbed Methbot and 3ve are the most noteworthy ad fraud schemes and date back to 2014. Methbot allegedly wasted $7 million in ad spend while 3ve collected more than $29 million from advertisers. In November, the Justice Department charged eight people with being associated with the two operations, making three arrests.

Advertisement

More recently, ad verification company DoubleVerify identified a botnet that specifically targeted connected-TV devices.

"You get a cat-and-mouse game," said Roza. "That's what makes DrainerBot particularly interesting - they're using some of the techniques that we've seen people use on desktop before but they're basically applying them to the mobile environment and finding unique ways of getting on consumers' devices."

{{}}