Google: We've just hit Android ​fraudsters raking in millions by faking human traffic

Sophisticated ad fraud network made millions with Android apps, which Google says it has removed.

Rogue Android apps slipped past Google security, racked up 4.2 million downloads Malware authors cash in on Android users through SMS fraud and unwanted online subscriptions.

Google says it's removed the apps and blacklisted the websites employed in a massive ad scam that made millions for fraudsters who used bots trained to mimic human user behavior.

The scheme, described in a Buzzfeed News report, centers on a company called We Purchase Apps that does exactly that, paying for apps generously in bitcoin and transferring ownership to various front and shell companies in Cyprus, Malta, British Virgin Islands, Croatia, and Bulgaria.

The scheme reportedly involved 125 Android apps and websites. To create convincing bogus traffic to sell, the fraudsters buy legitimate Android apps with an established reputation and then study the behavior of their users.

Using this information, they can create bots that act like human users to send real-looking traffic to the fraudster's app. The fraudsters also blend bot- and human-generated traffic to evade ad-fraud detection.

Google has put the cost to advertisers of the fraud at less than $10m.

"The majority of impacted advertiser spend was from invalid traffic on inventory from non-Google, third-party ad networks," said Per Bjorke, product manager for Google's Ad Traffic Quality unit.

SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)

Google says the fake web traffic was generated by a botnet called TechSnab, which it has already been tracking.

The TechSnab malware is usually bundled with free, third-party apps and is installed as a browser extension. Users would discover an infection if they see pop-ups, pop-unders and various other ads marked 'TechSnab'.

Google also confirmed that some of the fraudulent apps were making money via its AdMob platform. It has removed the apps and confirmed the traffic from the apps "seems to be a blend of organic user traffic and artificially inflated ad traffic, including traffic based on hidden ads".

"We are actively tracking this operation, and continually updating and improving our enforcement tactics," said Bjorke.

Part of the scheme was uncovered by ad-fraud detection firm Pixalate in June, which focused on 'mobile-app laundering', where a fraudster spoofs a legitimate app's unique identifier.

Here, an advertiser could be duped into buying ad inventory for one app but their ads are served to another app that may not be in use by a person.

One example was an Android app called MegaCast, which Pixalate found was displaying the unique ID of others apps to attract bids for ads. It's among the 125 apps and websites Buzzfeed News connected to a handful of loosely linked companies.

The MegaCast app spoofed about 60 apps, according to Pixalate, and generated as much as $75m a year from major advertisers, including Disney, L'Oréal, Facebook, Volvo, and Lyft. MegaCast was removed from the Google Play Store after Pixalate's report.

Buzzfeed News found that the spoofed apps were not victims, but actually part of the same scheme.

Previous and related coverage

Google robocall scam: We're suing hustlers who pretend to be us, warns Google

Scam robocallers tell victims: call us now or your Google business listing will labeled closed.

Google Maps user? Beware attackers using URL-sharing to send you to shady sites

The Google Maps URL-sharing feature allows scammers to send victims to any site they choose.

Google expands bug bounty program to include fraud protection bypass, free purchases

External attack vectors and techniques which bypass spam and fraud systems are now part of the program.

Windows support scam uses evil cursor attack to hijack Google Chrome sessions

Partnerstroka uses an "evil cursor" attack to hijack the mouse of Google Chrome browser user

Google pledges to foil phishing attacks with new Titan Security Key TechRepublic

If you trust Google, this is the second-factor security key for you.

Google takes steps to crush tech support scams CNET

The search giant spotted increasing numbers of misleading ads.