Oracle announced the discovery of and mitigation steps for “DrainerBot,” a major mobile ad fraud operation distributed through millions of downloads of infected consumer apps. Infected apps can consume more than 10GB of data per month downloading hidden and unseen video ads, potentially costing each device owner a hundred dollars per year or more in data overage charges.
DrainerBot was uncovered through the joint efforts of Oracle technology teams from its Moat and Dyn acquisitions. Now part of the Oracle Data Cloud, Moat offers viewability, invalid traffic (IVT), and brand safety solutions, while Dyn enables DNS and security capabilities as part of Oracle Cloud Infrastructure.
The DrainerBot code appears to have been distributed via an infected SDK integrated into hundreds of popular consumer Android apps and games like “Perfect365,” “VertexClub,” “Draw Clash of Clans,” “Touch ‘n’ Beat – Cinema,” and “Solitaire: 4 Seasons (Full).” Apps with active DrainerBot infections appear to have been downloaded by consumers more than 10 million times, according to public download counts.
Information About DrainerBot:
- DrainerBot is an app-based fraud operation that uses infected code on Android devices to deliver fraudulent, invisible video ads to the device.
- The infected app reports back to the ad network that each video advertisement has appeared on a legitimate publisher site, but the sites are spoofed, not real.
- The fraudulent video ads do not appear onscreen in the apps (which generally lack web browsers or video players) and are never seen by users.
- Infected apps consume significant bandwidth and battery, with tests and public reports indicating an app can consume more than 10 GB/month of data or quickly drain a charged battery, even if the infected app is not in use or in sleep mode.
- The SDK being used in the affected apps appears to have been distributed by Tapcore, a company in the Netherlands.
- Tapcore claims to help software developers monetise stolen or pirated installs of their apps by delivering ads through unauthorised installs, although fraudulent ad activity also takes place after valid app installs.
- On its website, Tapcore claims to be serving more than 150 million ad requests daily and says its SDK has been incorporated into more than 3,000 apps.
“Mobile app fraud is a fast-growing threat that touches every stakeholder in the supply chain, from advertisers and their agencies to app developers, ad networks, publishers, and, increasingly, consumers themselves,” said Mike Zaneis, CEO of the Trustworthy Accountability Group (TAG). “These types of fraud operations cross all four of TAG’s programmatic pillars, including fraud, piracy, malware, and transparency, and preventing such operations will require unprecedented cross-industry collaboration. As the ad industry’s leading information-sharing body, we are delighted to work with Oracle to educate and inform TAG’s membership about this emerging threat.”
“DrainerBot is one of the first major ad fraud operations to cause clear and direct financial harm to consumers,” said Eric Roza, SVP and GM of Oracle Data Cloud. “DrainerBot-infected apps can cost users hundreds of dollars in unnecessary data charges while wasting their batteries and slowing their devices. We look forward to working with companies across the digital advertising ecosystem to identify, expose, and prevent this and other emerging types of ad fraud.”
“Mobile devices are a prime target with a number of potential infection vectors, which are growing increasingly complicated, interconnected, and global in nature,” said Kyle York, VP of product strategy, Oracle Cloud Infrastructure. “The discovery of the DrainerBot operation highlights the benefit of taking a multi-pronged approach to identifying digital ad fraud by combining multiple cloud technologies. Bottom line is both individuals and organisations need to pay close attention to what applications are running on their devices and who wrote them.”