Yesterday, Google issued a response to how it is handling the huge ad fraud after Buzzfeed News reported it to them last week. According to this report, almost 125 Android apps and websites were affected in this ad fraud. Many of these affected apps are targeted at kids or teens.
What this investigation by Buzzfeed News revealed?
Buzzfeed News in their report said that application developers were being contacted by sketchy websites such as We Purchase Apps offering to buy their mobile applications. After acquiring these apps, they changed the details of the applications on Google Play Store.
These companies were part of a massive, sophisticated digital advertising fraud scheme. This fraud involved more than 125 Android apps and websites connected to a network of front and shell companies in Cyprus, Malta, British Virgin Islands, Croatia, Bulgaria, and elsewhere.
This report also revealed that those using these apps were secretly tracked:
“A significant portion of the millions of Android phone owners who downloaded these apps were secretly tracked as they scrolled and clicked inside the application.”
Schemes like these are targeting Android applications because of its huge user base and also because Google Play Store has a less strict app review process as compared to Apple’s App Store. Android apps are bought by offering huge sums and sold, injected with malicious code, repurposed without users’ or Google’s knowledge, and are turned into engines of fraud.
How does the ad fraud scheme work?
As revealed by Buzzfeed News, the web-based traffic is generated by a botnet called TechSnab. This botnet is a small to medium-sized botnet that has existed for a few years.
These botnets create hidden browser windows that visit web pages to inflate ad revenue. The malware contains common IP based cloaking, data obfuscation, and anti-analysis defenses. The botnets directed traffic to a network of websites created specifically for this operation and monetized with Google and many third-party ad exchanges.
Based on the analysis of historical ads.txt crawl data, inventory from these websites was widely available throughout the advertising ecosystem. As many as 150 exchanges, supply-side platforms (SSPs) or networks may have sold this inventory. The botnet operators had hundreds of accounts across 88 different exchanges based on accounts listed with DIRECT status in their ads.txt files.
How Google is tackling this ad fraud?
Buzzfeed News shared a list of apps and websites connected to the scheme with Google last week. Google investigated and found that dozens of apps used its mobile advertising network and confirmed in its post yesterday, the presence of a botnet driving traffic to websites and apps in the scheme.
One of Google’s Spokesperson told Buzzfeed News:
“We take seriously our responsibility to protect users and provide a great experience on Google Play. Our developer policies prohibit ad fraud and service abuse on our platform, and if an app violates our policies, we take action.”
In the past week, Google has removed apps involved in this ad fraud scheme, banning them from monetizing with Google. Additionally, they have blacklisted those apps and websites that are outside their ad network to ensure that advertisers using Display & Video 360 do not buy any of this traffic.
Google is taking the following steps to curb this ad fraud scheme:
- Their engineering and operations teams are taking systemic action to disrupt this threat, including the takedown of command and control infrastructure that powers the associated botnet.
- Technical information related to this scheme is shared with trusted partners across the ecosystem so that they can make their security stronger and minimize the impact of this threat.
- Active infections associated with TechSnab, the botnet revealed in the investigation, are reduced significantly with the help of Google Chrome Cleanup tool. This tool prompted users to uninstall the malware.
- According to Google’s investigation, mobile apps were majorly impacted. They checked for apps that are monetizing via AdMob and removed those that were engaged in this behavior from their ad network.