In an unusual twist, end users of Android phones were not the direct target of the latest exploit that took place on a massive scale. It was the advertisers in the crosshairs. Generally, not the sympathetic figure in the consumer electronics story, Advertisers were scammed out of millions of dollars with the use of fraudulent apps and bots. The Verge has more on the story.
“Google is clamping down on a fraudulent advertising network of over 125 Android apps and websites that have stolen hundreds of millions in ad dollars. A BuzzFeed report laid bare the huge scale of the scheme, which saw scammers from “We Purchase Apps” acquire established apps from developers, transferring them to a web of front and shell companies in Cyprus, Malta, British Virgin Islands, Israel, and Bulgaria.”
The scheme involved making apps people would want to download, then using a “vast network” of sophisticated bots to monitor then mimic the behavior of the people using the apps. These bots were then able to generate a lot of fake traffic that would be hard to detect because it mimicked real human behavior. The con artists were able to get away with millions before the scheme was discovered.
There is little the end user can do to steer clear of these apps. The usual advice is to be sure to only download apps in the official Play Store that have been vetted by Google’s process. But that advice does not pertain in this case. Many of these apps are in the Google Play Store. Google is in the process of purging these apps as they find them.
There is no particular category for these apps. They are games, health and fitness apps, flashlight apps, and at least one selfie app. One should always be wary of downloading ad-sponsored apps from unknown companies with little unique utility. These are often the kinds of apps used to recruit your phone’s resources into a botnet army.
Even knowing about the problem, Google is having a hard time purging the system. At least one of the apps mentioned in the article is still live on the Play Store. There is no indication that third-party apps stores are doing anything at all about the matter.
While this attack was not targeting end-users, it should be a reminder to everyone that your data can be vulnerable when using a smartphone or computer. Use of ad-blockers and browser trackers can be helpful in combating this type of problem. Though ironically, the ad companies that were scammed most likely would not approve of those measures.