Hundreds Of Android Apps Found To Serve Invisible Ads

• by Wendy Davis  @wendyndavis, February 20, 2019

A massive mobile ad-fraud operation, involving hundreds of malware-laden Android apps, has been uncovered by Oracle.

The scheme, “DrainerBot,” involved serving ads that were invisible to users, but that burned through their data allotments and depleted their batteries. The affected apps -- including popular ones like “Perfect365” and “Draw Clash of Clans" -- have been downloaded more than 10 million times.

The apps contained malicious software development tools that were apparently distributed by the company Tapcore, according to Oracle.

Tapcore boasts it can help developers monetize apps that users have either pirated or obtained from unauthorized sources. The company says its software tools are in more than 3,000 apps.

While Tapcore is based in the Netherlands, many company executives and employees are located in Russia, Latvia and the Ukraine, according to Tapcore's LinkedIn page.

Tapcore's code loads mobile video ads that are invisible to users on their phones, according to Oracle. The ads appear on spoofed domains, but the app tells the ad network that the video ads appeared on legitimate sites.

Some people who downloaded the apps realized they consumed large amounts of data -- although users didn't necessarily know why. Last September, one person who reviewed Perfect365 -- an app that offers makeup tools -- wrote that it “goes insane periodically and eats through ton of data in the background.”

The app developers may not have been aware of the nature of Tapcore's software, according to Chris Tsoufakis, senior director of software engineering at Oracle. “From what we can observe, it's definitely possible that the developers in this case are victims,” he says.

Tapcore's website says the company will launch software for Apple devices this quarter. So far, Oracle researchers have only seen the malicious code on Android apps.

DrainerBot was discovered after an investigation by Oracle's technology teams from its Moat and Dyn acquisitions. The company first learned of the scheme last summer through a routine investigation, according to Tsoufakis.

Oracle estimates that the scheme could have cost consumers more than $100 a year in extra data charges, depending on their mobile plans. The company hasn't estimated how much the operation could have cost advertisers.

The news comes as the prevalence of mobile ad fraud appears to be increasing. Late last year, BuzzFeed News published an investigation into a separate mobile fraud scheme involving more than 125 Android apps that were downloaded more than 115 million times.

Oracle has posted more information about the scheme at info.moat.com/drainerbot.

The ad industry's Trustworthy Accountability Group will brief its members on Friday about the scheme and potential steps to combat it.