Published on October 29th, 2018
As digital marketers, we’re constantly obsessing over the security of our websites, assets, and reputations -- and for good reason.
Today, the world is far more connected and involved than ever before, which only means more risk of facing negative cyber events such as fraud, theft, and property damage.
Such was the case with the recent discovery of an ad fraud scandal involving Android and its billions of users -- including children -- through an investigation led by Buzzfeed News.
Millions of Dollars Were Stolen through Everyday Apps...and We Didn’t Even Know It
For at least the past year and a half (and quite possibly earlier), over 100 Android apps and websites connected to the Google Play store have been purchased in order to steal close to an estimated $10 million from advertisers who used placed ads within them.
But why Android?
Experts say it’s because of its large user base and because the Google Play store’s app review process isn’t as scrupulous as Apple’s.
A non-verified company, We Purchase Apps, along with fraudsters working for or with them (i.e. Fly Apps, a Maltese company with multiple connections to the scheme) have been in contact with the previous owners of these apps with a sole goal of wanting to purchase them.
Here’s how they did it:
Companies involved in the fraud sought out apps to purchase that had a large user base and positive reviews. Once the business deal was complete, the apps continued to be maintained in order to keep real users happy.
The fraudsters then studied the behavior of the human users of those apps and created bots, or automated computer programs, to mimic their actions. They were then loaded onto servers that enabled them to generate “fake traffic” within certain apps through specialized software.
For websites specifically, the bots were able to visit them using virtual web browsers that essentially present the traffic as real, human visits.
Since the real traffic and fake traffic look almost exactly the same, the combination of humans with bots was able to go undetected by security systems.
As a result, a large number of ad views were generated, which translated into revenue: the ultimate goal of the scheme.
Some Facts & Statistics
To show just how detrimental this process was, here are a few notes provided by organizations involved in the investigation.
- In total, the apps identified by BuzzFeed News have been installed on Android phones more than 115 million times, according to data from analytics service AppBrain.
- App metrics firm, AppsFlyer, estimated that between $700 million and $800 million was stolen from mobile apps alone in the first quarter of this year, a 30% increase over the previous year.
- Pixalate’s latest analysis of in-app fraud found that 23% of all ad impressions in mobile apps are in some way fraudulent.
- Overall, Juniper Research estimates $19 billion will be stolen this year by digital ad fraudsters, but others believe the actual figure could be three times that.
Before Buzzfeed News alerted Google of its investigation, Google received a list of apps and websites connected to the scheme.
They did some further research and found that dozens of apps use its mobile advertising network. In response, Google has removed more than 30 apps from their store and deleted a number of multiple publisher accounts with its ad networks.
Google now continues to investigate. This blog post published by the company digs deeper into its findings.
Chances are, you’re not using mobile apps to position your ads in front of potential audiences. We’re more in tune with Facebook, LinkedIn, and Adwords. But if you are, it goes without saying that you want to make sure you’re vetting your platforms carefully.
If you’re an Android user, or you have children who use any of the apps or websites listed here, there’s no real security risk for you to deal with, but just know that your behavior could have unknowingly been used to fuel one of the biggest ad fraud scandals in history.
As digital companies, we need to continue to practice safe online behaviors with anything we do. If there’s one thing we can learn from this scheme, it’s that fraud is more prevalent than ever in the digital world, and the industry struggle to stop it remains apparent.