Oracle discovers another major fraud operation affecting Android users and mobile advertisers

A major new mobile ad fraud operation affecting Android phones, mobile apps and advertisers on the platform was revealed Wednesday by Oracle.

The DrainerBot code appears to have been distributed via an infected SDK, which was integrated into hundreds of popular Android apps and games.

Android operating systems have shown vulnerability to the actions of fraudsters — in October 2018, a botnet operation was uncovered that involved more than 125 Android apps and websites.

What happened. Bad actors use bot networks to defraud advertisers and consumers, employing a malicious mix of spoofing and malware. In this case, unsuspecting users downloaded infected Android apps, which then delivered invisible, fraudulent ads to their devices. The infected apps then reported back to the ad network that each video advertisement had appeared on a legitimate publisher site, but the sites were spoofed, not real.

The infected apps consume significant bandwith  — potentially more than 10 GB per month of data, even when the device is not in use or is in sleep mode. Oracle said that the Netherlands company Tapcore was responsible for distribution of the SDK.

Why you should care. As programmatic advertising continues to rise in popularity, so do incidences of ad fraud, costing advertisers millions in wasted ads and providing bad experiences for users.

“In today’s complicated advertising ecosystem, criminals are increasingly targeting mobile apps because that’s where the users — and the ad money to reach them — is going,” said Eric Roza, SVP & GM, Oracle Data Cloud. “As criminals adapt their attacks, marketers need to adapt their defenses as well.”

Even though Android users are the ones most affected by this, Roza said he doesn’t see it as a platform issue.

“Ad fraud reaches every corner of the global advertising market, across mobile and desktop, in-app and video and display, iOS and Android, programmatic and reserved and walled gardens. This is effectively an arms race, and we are devoting an increasing number of resources to help advertisers, publishers, and consumers stay a step ahead,” Roza said.

Oracle said that The Trustworthy Accountability Group (TAG) will be holding a special briefing for its member companies on Friday to discuss mitigation steps for the threat.

Update: Tapcore issued a response saying it “vehemently denies any intentional involvement in the purported “Drainbot” ad fraud scheme.” The company says it vows to launch a full investigation and share results.

About The Author

Robin Kurzer

Robin Kurzer started her career as a daily newspaper reporter in Milford, Connecticut. She then made her mark on the advertising and marketing world in Chicago at agencies such as Tribal DDB and Razorfish, creating award-winning work for many major brands. For the past seven years, she’s worked as a freelance writer and communications professional across a variety of business sectors.