A new ad fraud campaign is potentially costing victims hundreds of dollars a year in data bills through infected Android apps and games.
Dubbed DrainerBot by Oracle researchers, the scheme has been described as a "major mobile ad fraud operation" which has been distributed through at least ten million downloads of infected consumer applications.
The DrainerBot code has been unpacked and found in malicious software development kits (SDKs) relating to Android mobile apps, many of which have proven popular -- including "Perfect365," "VertexClub," "Draw Clash of Clans," "Touch 'n' Beat – Cinema," and "Solitaire: 4 Seasons (Full)."
DrainerBot's code overlays invisible, fraudulent ads to devices when apps are in use. The infected app will then report back to ad networks connected to the scheme that the advert has been viewed on a legitimate publisher's website, and this results in fraudulent ad revenue kickbacks for the threat actors involved.
Oracle says that video ads are in play, and as these kinds of advertisements generally offer more in revenue than simple banner ads, the legitimate ad networks that have been signed up with are unwittingly being defrauded out of serious cash.
It is not just ad networks which are being scammed, however, As the DrainerBot code is showing ads which are invisible, users may not realize anything is wrong -- at least, until they receive their data bills, which would be heavily impacted by the constant launch and play of online videos.
Oracle says that infected apps can consume over 10GB per month, which potentially could cost device owners a hundred dollars per year or more in charges. In addition, malicious apps can quickly drain a device's battery, even if these applications are not in use.
According to the tech giant, the infected SDK appears to originate from Tapcore as a distribution channel. The Netherlands-based company says it protects app developers by "detecting pirated installations of apps" and permits developers to monetize these installs by "displaying ads and providing critical analytics regarding illegal installations."
Tapcore says that the firm's SDK has been incorporated into over 3,000 apps and serves over 150 million ad requests per month.
In contrast to this claim, Oracle says that fraudulent app activity also takes place after valid, genuine applications have been installed.
"Mobile devices are a prime target with a number of potential infection vectors, which are growing increasingly complicated, interconnected, and global in nature," said Kyle York, VP of product strategy at Oracle Cloud Infrastructure. "The discovery of the DrainerBot operation highlights the benefit of taking a multi-pronged approach to identifying digital ad fraud by combining multiple cloud technologies. Bottom line is both individuals and organizations need to pay close attention to what applications are running on their devices and who wrote them."
Update 8.52 GMT: Tapcore said in a statement:
"Tapcore strongly denies any intentional involvement with the supposed ad fraud scheme, and is extremely surprised and alarmed by the allegations and attempt to connect the company with the scheme.
Tapcore has set very stringent standards for traffic authenticity and takes each instance of potential abuse very seriously -- taking immediate action to block such traffic indefinitely.
At the moment of first hearing about the DrainerBot ad fraud scheme, Tapcore began immediate internal investigation to see whether any such code was ever distributed through its network without its knowledge. The company is ready to cooperate with all interested parties and provide all results on its findings. Openness and transparency is paramount in the mobile advertising industry, and Tapcore is prepared to share all data and results."