DrainerBot Ad Fraud on Android Devices Cheats Advertisers Out of Money, and Android Users Out of Battery Power and Bandwidth; Connected to SDK


Researchers at Oracle announced Wednesday February 20, 2019 their discovery of malicious code connected to a major mobile ad fraud operation “DrainerBot” distributed via millions of downloads of infected consumer apps.

DrainerBot is a sophisticated ad fraud operation that uses malicious code in mobile apps to deliver fraudulent, invisible video ads to Android devices. Android users are usually unaware the costly fraud is happening, but are likely affected by the negative side effects of excessive battery consumption and excessive data bandwidth consumption while the “DrainerBot” fraud operation runs hidden video ads.

Android Device Consumers (Performance, Battery & Data Loss)
Ad Marketers (Money Loss on fake, ineffective ads)
App Developers (Tarnished reputation of app developer)

The offenders behind the fraud operation make money by gaining ad income because the ad networks that payout to affiliates or associates are unaware that the videos are not being seen by any users. The infected app reports back to the ad network that each video advertisement has appeared on a legitimate mobile publisher site, but the sites are spoofed, not real. The fraudulent video ads do not appear onscreen in the apps and are never seen by users of Android devices.

This fraudulent activity appears to be driven by code in an SDK (“Software Development Kit”) which is usually legitimately installed in hundreds of different Android apps.

Infected apps consume significant bandwidth and battery, with tests and public reports indicating an app can consume more than 10 GB/month of data or quickly drain a charged battery, even if the infected app is not in use or in sleep mode.

App developers may have installed the SDK to help monetize pirated installations of their apps through legitimate advertising. However, the SDK appears to have hijacked legitimate installs of their apps to load hidden and fraudulent ads.

Here are some potential signs that an Android user may be impacted by DrainerBot:

1) You have downloaded an app that has incorporated the DrainerBot app and recently has been generating fraudulent traffic. These apps may especially be “Perfect365,” “VertexClub,” “Draw Clash of Clans,” “Touch ‘n’ Beat – Cinema,” or “Solitaire: 4 Seasons (Full)” … Monitoring requires that an Android user analyze traffic by checking each app’s data usage in Settings or by using a network monitoring app (referral here without endorsement);

2) Your phone gets hot and battery life quickly drains even when the phone is not in active use;

3) Your phone is using dramatically more data than it did prior to installation of a particular app or set of apps; and/or

4) Your phone is sluggish and apps crash with great frequency.

Review app data usage on your device and beware of apps that have very high backgrounded data usage

Step 1: Select Settings

Step 2: Navigate to Data Usage

Step 3: Select App Data Usage

Step 4: See how much data is being used in a backgrounded state

Step 5: Restrict apps with excessive background data usage

If you find an app culprit, you can make decision to delete the suspected app or restrict its permissions.

If you would like to delete an app

Step 1: Open your device Settings.

Step 2: Select Apps and notifications.

Step 3: Select the app you want to uninstall. (If you don’t see it, select ‘See all apps’)

Step 4: Select Uninstall.

If you would like to restrict permissions for an app

Step 1: Open the Settings app.

Step 2: Select Apps or Application Manager (based on device).

Step 3: Select the app you want to update.

Step 4: Select Permissions.

Step 5: Toggle specific permissions on or off.

Oracle is working with developers to investigate and resolve the threats connected to “DrainerBot.” Initially the SDK being used in apps affected by DrainerBot appear to have been distributed by Tapcore, a company in the Netherlands. Tapcore claims to help software developers monetize stolen or pirated installs of their apps by delivering ads through unauthorized installs. However, fraudulent ad activity is not limited to rogue installations of pirated apps. Fraudulent “DrainerBot” activity also occurs after valid installations of apps that use the SDK.


Oracle Exposes “DrainerBot” Mobile Ad Fraud Operation

MOAT | DrainerBot Information & Mitigation



 facebook … 

GET ALERTS on Facebook.com/ArlingtonCardinal

GET ALERTS on Facebook.com/CardinalEmergencies

GET ALERTS on Facebook.com/ArlingtonHeightsCrime

Get updates from The Cardinal ALL NEWS FEEDS on Facebook. Just ‘LIKE’ the ‘Arlington Cardinal Page (become a fan of our page). The updates cover all posts and sub-category posts from The Cardinal — Arlingtoncardinal.com. You can also limit feeds to specific categories. See all of The Cardinal Facebook fan pages at Arlingtoncardinal.com/about/facebook …

Help fund The Cardinal Arlingtoncardinal.com/sponsor

Arlingtoncardinal.com is an Amazon Associate website, which means that a small percentage of your purchases gets paid to Arlingtoncardinal.com at no extra cost to you. When you use the search boxes above, any Amazon banner ad, or any product associated with an Amazon banner on this website, you help pay expenses related to maintaining Arlingtoncardinal.com and creating new services and ideas for a resourceful website. See more info at Arlingtoncardinal.com/AdDisclosure