An investigation by BuzzFeed News has found a sophisticated ad fraud scheme involving over 125 Android apps, with user behaviour tracked to enable hundreds of millions of dollars to be fraudulently charged.
The operation involved hundreds of apps and websites being acquired by a firm called We Purchase Apps, which then transferred ownership to one of a series of shell companies based in countries including Israel, Serbia, Germany, Bulgaria and Malta.
Once these legitimate apps were acquired, software was used to track user behaviour within the app, enabling the fraudsters to more accurately mimic user behaviour with bots, which were then used to generate advertising income. More than a dozen of the apps affected were targeted at teenagers or young users.
"This is not your run-of-the-mill fraud scheme," said Asaf Greiner, CEO of cybersecurity firm Protected Media, who analysed the apps and websites at BuzzFeed News' request. "We are impressed with the complex methods that were used to build this fraud scheme and what's equally impressive is the ability of criminals to remain under the radar."
Another fraud detection company, Pixalate, first exposed one element of the operation back in June, estimating that the fraud being committed on just one of the affected mobile apps could generate $75m (£58m) in stolen ad revenues. After it published the findings, Pixalate received an email from an anonymous person connected to the fraud who said that the amount stolen was closer to $750m.
Most of the apps acquired to serve as part of the fraud operation were games, although others included a flashlight app, a healthy eating app and a selfie app, with one app, EverythingMe, having been installed more than 20m times. In total, the affected apps are suspected to have been downloaded onto Android devices more than 115m times.
The ad networks and exchanges used by the scheme include major players in the area, including Google, although there is no evidence that any were aware that the inventory being used was fraudilent. BuzzFeed News provided Google with a list of the apps and websites connected to the scheme, and its independent analysis confirmed the presence of a botnet driving traffic. More than 30 of the apps have been removed from the Play Store, and multiple publisher accounts associated with them have been terminated from Google's ad networks.
"We take seriously our responsibility to protect users and provide a great experience on Google Play," said a Google spokesperson. "Our developer policies projibit ad fraud and service abuse on our platform, and if an app violates our policies, we take action."
The scheme highlights a serious flaw in Google's Play Store app verification strategy, where apps that have already been vetted are rarely rechecked when they are sold to new publishers or owners. It was this oversight that enabled the fraudsters to use existing legitmate apps to build such a huge network.
"Fighting invalid traffic is essential for the long-term sustainability of the digital advertising ecosystem," said Per Bjorke, product manager for ad traffic quality at Google. "We take all reports of questionable activity seriously, and when we find invalid traffic, we act quickly to remove it from our systems. We want to thank BuzzFeed for sharing information that allowed us to take further action. This effort highlights the important of collaborating with others to counter bad actors. Ad fraud is an industry-wide issue that no company can tackle alone.
"While our analysis of the operation is ongoing, we estimate that the dollar value of impacted Google advertiser spend across the apps and websites involved in the operation is under $10m. The majority of impacted advertiser spend was from invalid traffic on inventory from non-Google, third-party ad networks."