Google says it's removed the apps and blacklisted the websites employed in a massive ad scam that made millions for fraudsters who used bots trained to mimic human user behavior.
The scheme, described in a Buzzfeed News report, centers on a company called We Purchase Apps that does exactly that, paying for apps generously in bitcoin and transferring ownership to various front and shell companies in Cyprus, Malta, British Virgin Islands, Croatia, and Bulgaria.
The scheme reportedly involved 125 Android apps and websites. To create convincing bogus traffic to sell, the fraudsters buy legitimate Android apps with an established reputation and then study the behavior of their users.
Using this information, they can create bots that act like human users to send real-looking traffic to the fraudster's app. The fraudsters also blend bot- and human-generated traffic to evade ad-fraud detection.
Google has put the cost to advertisers of the fraud at less than $10m.
"The majority of impacted advertiser spend was from invalid traffic on inventory from non-Google, third-party ad networks," said Per Bjorke, product manager for Google's Ad Traffic Quality unit.
Google says the fake web traffic was generated by a botnet called TechSnab, which it has already been tracking.
The TechSnab malware is usually bundled with free, third-party apps and is installed as a browser extension. Users would discover an infection if they see pop-ups, pop-unders and various other ads marked 'TechSnab'.
Google also confirmed that some of the fraudulent apps were making money via its AdMob platform. It has removed the apps and confirmed the traffic from the apps "seems to be a blend of organic user traffic and artificially inflated ad traffic, including traffic based on hidden ads".
"We are actively tracking this operation, and continually updating and improving our enforcement tactics," said Bjorke.
Part of the scheme was uncovered by ad-fraud detection firm Pixalate in June, which focused on 'mobile-app laundering', where a fraudster spoofs a legitimate app's unique identifier.
Here, an advertiser could be duped into buying ad inventory for one app but their ads are served to another app that may not be in use by a person.
One example was an Android app called MegaCast, which Pixalate found was displaying the unique ID of others apps to attract bids for ads. It's among the 125 apps and websites Buzzfeed News connected to a handful of loosely linked companies.
The MegaCast app spoofed about 60 apps, according to Pixalate, and generated as much as $75m a year from major advertisers, including Disney, L'Oréal, Facebook, Volvo, and Lyft. MegaCast was removed from the Google Play Store after Pixalate's report.
Buzzfeed News found that the spoofed apps were not victims, but actually part of the same scheme.
Previous and related coverage
Scam robocallers tell victims: call us now or your Google business listing will labeled closed.
The Google Maps URL-sharing feature allows scammers to send victims to any site they choose.
External attack vectors and techniques which bypass spam and fraud systems are now part of the program.
Partnerstroka uses an "evil cursor" attack to hijack the mouse of Google Chrome browser user
If you trust Google, this is the second-factor security key for you.
The search giant spotted increasing numbers of misleading ads.