HUMAN, Google, Roku Squash CTV Botnet After It Impersonates Billions Of Ad Requests

Michael McNally, chief scientist at cybersecurity company HUMAN, publicly called on the advertising industry to implement standards as well as upgrade practices to prevent fraud in connected TV devices.

The call went out Thursday after finding a sophisticated fraud operation consisting of nearly 1 million infected mobile devices impersonating millions of connected TV products and hundreds of billions of fake advertising requests.

“Fraudsters follow the money,” NcNally said, explaining that the CTV ecosystem runs on a high cost for impressions (CPMs). “And they’re typically implemented in ways that are low signal. They haven’t caught up in the amount of telemetry you get for CTV playbacks. So you have something that costs a lot of money, with less light shining into the ecosystem.”

IAB has promoted standards for about two years that attempt to achieve a transparent supply chain. If companies followed the industry guidelines, he said, each would have heightened visibility when anyone tried to introduce fraud into the ecosystem.



“Other types of devices like cell phones running on Android or iOS have secure compute environments in them and can be used to construct device attestation protocols like Google’s safety net,” he said. “It’s a privacy-safe way.”

CTV devices do not have attestation yet, and cannot prove they are real devices, he said.

Omnicom Media Group, The Trade Desk, and Magnite, flagship members of The Human Collective — a newly launched initiative that brings together companies within digital advertising to create a collectively protected ecosystem — collaborated with HUMAN, with the support of Google and Roku.

PARETO, the botnet, used dozens of mobile apps to impersonate or spoof more than 6,000 CTV apps, accounting for an average of 650 million ad requests every day.  

HUMAN found PARETO in 2020 and has been working with the team to prevent its impacts on clients. The operation is named for The Pareto Principle, an economics concept that dictates that 80% of the impact in any given situation is carried out by only 20% of the actors. 

The bot worked by spoofing signals within malicious Android mobile apps to impersonate consumer TV streaming products running Fire OS, tvOS, Roku OS, and other CTV platforms.

The botnet took advantage of digital shifts that were accelerated by the COVID-19 pandemic, hiding within the clamor to trick advertisers and technology platforms into believing ads were being shown on CTVs.

After a year, HUMAN and its partners -- including Omnicom Media Group, The Trade Desk, Magnite, Google, and Roku -- disrupted the operation that was associated with 29 Android apps.

The secondary operation was associated with one Roku developer delivering the malware to infected devices.

These apps have all been removed from the marketplaces where they operated.

Earlier this week, DoubleVerify, a competitor to Human in the fraud/brand security space, reported having identified and blocked another series of bot-based ad fraud schemes, dubbed OctoBot, since November 2019.

Next story loading loading..