Ad fraud by apps ​installed by millions

Six apps were found to be committing fraud against advertising networks by faking clicks on ads.

Google Play store removed the apps following an investigation by BuzzFeed News and Check Point Research, which has uncovered the fraudulent activity that was being caried out.

Each of these apps had millions or tens of millions of users, a nice interface, positive reviews. Now though, if you look them up on the Play store, you will find a “We’re sorry, the requested URL was not found on this server.” message. The apps are still available as APKs on other websites.

The clicker campaign has been dubbed PreAMo — mashing the three defrauded advertising networks’ names together: Admob (by Google), Mopub (by Twitter), Presage (by Ogury).

Mobile app developers use advertising networks to earn money while keeping their app free. The process works like this:

• People who wish to advertise something create ads. Those ads will spread awareness and entice people to want to know more about the advertised product.
• The ad creators partner with an advertising network to publish the ads.
• Various websites and apps work with the advertising network to display the ads in their content.
• Users of these apps and websites see the ads and either ignore them, look at them, or click on them.
• The creators of the ads pay the network (and the app in which the ad was displayed) according to the actions that the user took.

The developer of the infected apps was collecting money made from this clicker campaign, defrauding the creators of the ads. Google calls automated clicks “invalid clicks” and tries to filter them out to avoid charging the ad creators, but they and other advertising networks are not always successful.

Whether an ad is “clicked on” in the PreAMo campaign would depend on, among other things, a random number, as would the screen coordinates of the click. The time intervals would also be partially random. The randomness is useful for making it look like the actions were performed by a real, living human being. This would make the fraud difficult to detect. The apps were also communicating with a command and control (C&C) server to receive orders on where and how often to click on ads. All six apps were using the same C&C server, coordinating the campaign together.

Selfie Camera, Omni Cleaner, RAM Master – Memory Optimizer, Total Cleaner, Smart Cooler – Phone Cooler & CPU Temp Controller, AIO Flashlight — these are the apps that were found to be executing the ad fraud. If you find that you have them installed, it is probably safest to remove them, as the developers’ behaviour is unethical and thus, not trustworthy.

To avoid installing malicious applications on your Android phone in the future, carefully check permissions and see if they seem relevant to the functions of the app being installed. Also, research the app and the developer. It is safest to install apps from the Google Play store. True, malware does make it into the store sometimes, but Google removes it as soon as they find it. Other sources of apps are not always so able or willing to get rid of Trojans.

Although these apps were caught, this is not the first and, probably, not the last time that mobile applications are found to be Trojans harbouring malware. After all, money spent on mobile advertising is growing, as is the number of mobile phone users, and online criminals need a big pool of users to profit from.

Source: TechNadu