A new ad fraud campaign is potentially costing victims hundreds of dollars a year in data bills through infected Android apps and games.
Dubbed DrainerBot by Oracle researchers, the scheme has been described as a “major mobile ad fraud operation” which has been distributed through at least ten million downloads of infected consumer applications.
The DrainerBot code has been unpacked and found in malicious software development kits (SDKs) relating to Android mobile apps, many of which have proven popular — including “Perfect365,” “VertexClub,” “Draw Clash of Clans,” “Touch ‘n’ Beat – Cinema,” and “Solitaire: 4 Seasons (Full).”
DrainerBot’s code overlays invisible, fraudulent ads to devices when apps are in use. The infected app will then report back to ad networks connected to the scheme that the advert has been viewed on a legitimate publisher’s website, and this results in fraudulent ad revenue kickbacks for the threat actors involved.
Oracle says that video ads are in play, and as these kinds of advertisements generally offer more in revenue than simple banner ads, the legitimate ad networks that have been signed up with are unwittingly being defrauded out of serious cash.
It is not just ad networks which are being scammed, however, As the DrainerBot code is showing ads which are invisible, users may not realize anything is wrong — at least, until they receive their data bills, which would be heavily impacted by the constant launch and play of online videos.
Oracle says that infected apps can consume over 10GB per month, which potentially could cost device owners a hundred dollars per year or more in charges. In addition, malicious apps can quickly drain a device’s battery, even if these applications are not in use.
According to the tech giant, the infected SDK appears to originate from Tapcore as a distribution channel. The Netherlands-based company says it protects app developers by “detecting pirated installations of apps” and permits developers to monetize these installs by “displaying ads and providing critical analytics regarding illegal installations.”
Tapcore says that the firm’s SDK has been incorporated into over 3,000 apps and serves over 150 million ad requests per month.
In contrast to this claim, Oracle says that fraudulent app activity also takes place after valid, genuine applications have been installed.
“Mobile devices are a prime target with a number of potential infection vectors, which are growing increasingly complicated, interconnected, and global in nature,” said Kyle York, VP of product strategy at Oracle Cloud Infrastructure. “The discovery of the DrainerBot operation highlights the benefit of taking a multi-pronged approach to identifying digital ad fraud by combining multiple cloud technologies. Bottom line is both individuals and organizations need to pay close attention to what applications are running on their devices and who wrote them.”
ZDNet has reached out to Tapcore and will update if we hear back.
Previous and related coverage