Dr. Zac Sadan & Rowland Yu, Protected Media & Sophos

Ad fraud’s now one of the most profitable criminal enterprises in the World. Today an ad fraud app refers to software that, while not intentionally malicious by the vendor, intends to deceive the user in some manner for some gain by the vendor or a third party. The app attempts to deceive normal consumers during install, run time, and uninstall. The deceptive and risky behaviours of the ad fraud app include misleading users with fake, exaggerated, unsubstantiated or coercive ads, installing non-authorized apps and components, injecting more than one interstitial or invisible ads and more.

These ad fraud app schemes are costing the ad tech industry unimaginable financial losses – the costs of ad fraud are due to reach $19 billion in 2018, with projections of $50 billion by 2025. As cyber criminals continue to develop the threat landscape, stakeholders and legislators are also starting to take these cyber security threats more seriously:

• The World Federation of Advertisers says that ad fraud is second only to the drugs trade, as the largest source of income for organized crime
• The FBI are starting to be proactive and learn more about ad fraud
• The legislature in the UK is listening and starting to debate to what extent legislation needs to cover this nascent market

The costs to the end user are extremely high; despite a number of positive reviews appearing in the app store, some users complain of malicious/fraudulent apps draining both their device batteries and their data plans. Moreover, there are instances where privacy is at risk as viruses send personal and/or device data to third parties.

We’ve seen a huge increase in the number of innovative fraud schemes and in this report, we will expand upon a sophisticated virus which is posing a huge threat to both advertisers and end users:

• The new breed of polymorphic viruses which include thousands of versions in order to remain under the radar of anti-virus software, were all identified because they shared the same bundle IDs (in other words, package names in Android).
• The modus operandi of these viruses included the download of specific codes and plug-ins to further disguise themselves, as they generated invisible iframes in the device. They then generated clicks inside the webpages – usually adult sites – using a JavaScript, and continued by communicating device info to other websites.
• By stealing videos from legitimate sites like YouTube, these apps are able to run click fraud in the background, stealing money from advertisers, draining end user device batteries and data plans, and sharing personal/device data with third parties.