Researchers at Oracle announced Wednesday February 20, 2019 their discovery of malicious code connected to a major mobile ad fraud operation “DrainerBot” distributed via millions of downloads of infected consumer apps.
DrainerBot is a sophisticated ad fraud operation that uses malicious code in mobile apps to deliver fraudulent, invisible video ads to Android devices. Android users are usually unaware the costly fraud is happening, but are likely affected by the negative side effects of excessive battery consumption and excessive data bandwidth consumption while the “DrainerBot” fraud operation runs hidden video ads.
Android Device Consumers (Performance, Battery & Data Loss)
Ad Marketers (Money Loss on fake, ineffective ads)
App Developers (Tarnished reputation of app developer)
The offenders behind the fraud operation make money by gaining ad income because the ad networks that payout to affiliates or associates are unaware that the videos are not being seen by any users. The infected app reports back to the ad network that each video advertisement has appeared on a legitimate mobile publisher site, but the sites are spoofed, not real. The fraudulent video ads do not appear onscreen in the apps and are never seen by users of Android devices.
This fraudulent activity appears to be driven by code in an SDK (“Software Development Kit”) which is usually legitimately installed in hundreds of different Android apps.
Infected apps consume significant bandwidth and battery, with tests and public reports indicating an app can consume more than 10 GB/month of data or quickly drain a charged battery, even if the infected app is not in use or in sleep mode.
App developers may have installed the SDK to help monetize pirated installations of their apps through legitimate advertising. However, the SDK appears to have hijacked legitimate installs of their apps to load hidden and fraudulent ads.
Here are some potential signs that an Android user may be impacted by DrainerBot:
1) You have downloaded an app that has incorporated the DrainerBot app and recently has been generating fraudulent traffic. These apps may especially be “Perfect365,” “VertexClub,” “Draw Clash of Clans,” “Touch ‘n’ Beat – Cinema,” or “Solitaire: 4 Seasons (Full)” … Monitoring requires that an Android user analyze traffic by checking each app’s data usage in Settings or by using a network monitoring app (referral here without endorsement);
2) Your phone gets hot and battery life quickly drains even when the phone is not in active use;
3) Your phone is using dramatically more data than it did prior to installation of a particular app or set of apps; and/or
4) Your phone is sluggish and apps crash with great frequency.
HOW TO REVIEW APP USAGE
Review app data usage on your device and beware of apps that have very high backgrounded data usage
Step 1: Select Settings
Step 2: Navigate to Data Usage
Step 3: Select App Data Usage
Step 4: See how much data is being used in a backgrounded state
Step 5: Restrict apps with excessive background data usage
If you find an app culprit, you can make decision to delete the suspected app or restrict its permissions.
DELETE AN APP
If you would like to delete an app
Step 1: Open your device Settings.
Step 2: Select Apps and notifications.
Step 3: Select the app you want to uninstall. (If you don’t see it, select ‘See all apps’)
Step 4: Select Uninstall.
RESTRICT APP PERMISSIONS
If you would like to restrict permissions for an app
Step 1: Open the Settings app.
Step 2: Select Apps or Application Manager (based on device).
Step 3: Select the app you want to update.
Step 4: Select Permissions.
Step 5: Toggle specific permissions on or off.
Oracle is working with developers to investigate and resolve the threats connected to “DrainerBot.” Initially the SDK being used in apps affected by DrainerBot appear to have been distributed by Tapcore, a company in the Netherlands. Tapcore claims to help software developers monetize stolen or pirated installs of their apps by delivering ads through unauthorized installs. However, fraudulent ad activity is not limited to rogue installations of pirated apps. Fraudulent “DrainerBot” activity also occurs after valid installations of apps that use the SDK.
^^ MOBILE? USE VOICE MIC ^^
GET ALERTS on Facebook.com/ArlingtonCardinal
GET ALERTS on Facebook.com/CardinalEmergencies
GET ALERTS on Facebook.com/ArlingtonHeightsCrime
Get updates from The Cardinal ALL NEWS FEEDS on Facebook. Just ‘LIKE’ the ‘Arlington Cardinal Page (become a fan of our page). The updates cover all posts and sub-category posts from The Cardinal — Arlingtoncardinal.com. You can also limit feeds to specific categories. See all of The Cardinal Facebook fan pages at Arlingtoncardinal.com/about/facebook …
Help fund The Cardinal Arlingtoncardinal.com/sponsor
Mobile app fraud is a fast-growing threat that touches every stakeholder in the #digital advertising ecosystem. Today Oracle exposes DrainerBot, an app-based fraud operation causing direct financial harm to consumers. https://t.co/yNjpGV9OWQ #MoatAnalytics pic.twitter.com/KqXP1gMGZq
— Oracle Data Cloud (@OracleDataCloud) February 20, 2019
— ZDNet (@ZDNet) February 20, 2019