According to a report published by Buzzfeed News, over 125 Android apps and websites have been implicated in a massive fraud scheme that has stolen millions of dollars in advertising revenue.
Fraudsters purchased legitimate applications from developers through an alias company called “We Purchase Apps.” The apps were then connected to a network of shell companies in Cyrpus, Malta, British Virgin Islands, Croatia, Bulgaria, and other areas. The majority of the affected apps were directed towards kids or young adults.
One of those involved in the scheme reportedly indicated that it had “stolen hundreds of millions of dollars” from brands whose ads were shown to bots instead of human users.
Millions of people have downloaded these Android apps. Buzzfeed claims that a large portion of users were secretly tracked when they engaged with the applications so fraudsters could model user trends. “By copying actual user behaviour in the apps, the fraudsters were able to generate fake traffic that bypassed major fraud detection systems,” the report said.
New: Apps installed on millions of Android phones were used to track users and execute a multimillion dollar ad fraud scheme https://t.co/FEJRqIpA0v
— BuzzFeed News (@BuzzFeedNews) October 23, 2018
These apps made millions of dollars in ad revenue from companies paying to advertise in-app ad networks-including those ran by Google AdSense. This system relies on concealing fraudulent bot traffic with regular user data, making it difficult for an anti-fraud system to spot it.
“These bots are unique to this operation, mimicking real user behaviour. The traffic is therefore a mix of real users inside a real app, and fake traffic,” said Greiner of Protected Media.
The scheme’s specific focus on Android apps indicates some serious issues with fraud and malware present on Google’s mobile ecosystem. Experts claim that schemes like these target Android due to its massive user base, and because Google Play store has less regulatory measures in its app review process than Apple’s App Store. Android apps can be bought and sold, infected with malware, and then repurposed for fraudulent purposes.
Buzzfeed News already notified Google about the scheme, and the company has already begun to take action. Google noted in a blog post that it removed many of the apps involved in the scheme from the Play Store and its ad network. However, some of the larger apps implicated in Buzzfeed’s report-such as EverythingMe, which has over 20 million installations-are still available for purchase on the Play Store.
According to Google’s report, it is estimated that approximately USD$10 million was stolen from advertisers. However, this may not entirely encapsulate the damage done by these apps. Pixalate, a fraud detection firm that first noticed the fraudulent ad scheme in June, claimed that a single app could have cost advertisers up to USD$75 million per year. In addition, one app connected to the scheme was installed over 20 million times, indicating massive advertising profits.
According to Pixalate CTO Amin Bandeali, Google’s app stores aren’t doing enough to combat schemes such as these. “App stores, perhaps unwittingly, are providing a gateway to connecting fraudsters with [advertising] inventory buyers and sellers,” he said. “While the stores present customer reviews, download numbers and other ‘quality’ metrics, they offer minimal services that vet the business technology and relationships of the app companies. “