
How a Massive Ad Fraud Scheme Exploited Android Phones to Steal Millions - minimaxir
https://www.buzzfeednews.com/article/craigsilverman/how-a-massive-ad-fraud-scheme-exploited-android-phones-to
======
rayvy
As someone who works monitoring ad network traffic at a large ad-tech company
(not FAANG, but just below), let me just say: _everyone does fraud_.

Some don't need as much of it (e.g., Google), but quite literally saying
"there's fraud in my online traffic" is like saying "there's tomato sauce in
my spaghetti". It's quite literally such a normal thing that I've become
immune to even getting roused by it (and remember, again, I work to find ad-
fraud _daily_ ).

Does this make it right? No, absolutely not. But is this ever going to change,
absolutely not. Too many people are making too much money from this. Just you
try to tell an L2 that they can't hit their Q4 Revenue OKR because "we're
doing something really immoral by allowing fraud".

Don't make me laugh XD

~~~
milesskorpen
Beyond this, ad spend ASSUMES some level of fraud. It's baked into your ROI
numbers, at least for performance advertising.

Probably the main people getting stiffed are the publishers who are offering
real traffic, and getting a smaller share of dollars relative to the
incremental value they deliver.

~~~
cf498
Can you point me towards credible work determining ROI for online
advertisement? Whats the current state of the art?

edit: I should rephrase, this sounds hostile. I know there is wide work in
influencing people to buy stuff when influenced in person. The interpersonal
dynamics are widely studied. I also know, that chumming content and goating
works to gather more views, but that can only be turned into a ROI by people
paying for ads to serve those viewers. There is also the segment of ads, which
offer a discount, but what about all the rest? Does banner or clip
advertisement actually provide a measurable return of investment? Does online
advertisement offer brand recognition, and does it provide a ROI? Are the
adverse effects studied, so that people actively despise brands for offensive
ads? What are the going rates for views and reactions to online advertisement
vs traditional marketing?

In short, what is the state of the art of research into online advertisement?

~~~
downandout
There are two distinct areas of online advertising: performance marketing, and
brand advertising. I'm a performance marketer. I make a profit only when ads
result in conversions - usually sales or signups for trial offers, but in some
cases we do lead generation campaigns for clients as well. We spend high 5/low
6 figures per month, mostly on Facebook ads, with a _monthly_ ROAS (return on
ad spend) that beats Berkshire Hathaway's _annual_ returns. The idea that
online advertising _cannot_ work is absurd.

The schemes mentioned in articles like this are almost exclusively targeted at
_brand_ marketers. My guess is the problem lies in the way that large brands
incentivize the people running their campaigns, because the technology exists
to knock out the vast majority of this type of fraud. Companies like Coke hire
ad firms that send them reports about impressions, and they are thus
incentivized to not pay attention to traffic quality, and just maximize
impressions. That has to be the problem, because just my internal traffic
quality tools that I have written would have shutdown ad delivery on the sites
sending such obviously bad traffic within a few clicks from each referrer -
and I don't claim to have written the most sophisticated filter out there.
There are many ways to do reality checks on traffic, on a per-referrer basis,
and cut out much of this stuff. Webview traffic (the kind being taken
advantage of here) is among the easiest to detect.

As to your question about measuring ROAS it's simple for performance
marketers. Take your ad spend and compare it to revenue. I'm not sure that
brand marketers have a reasonable way of determining ROAS, either online or in
the physical world. I suppose they could take brand recognition surveys and
compare before/after a given campaign, but that is hardly an exact science.

~~~
DeGi
And without doing experimental setup (RCTs), how do you know you are not just
paying for organic conversions?

I had this presentation a few months ago:
[https://www.slideshare.net/mobile/gregak/if-youre-not-
measur...](https://www.slideshare.net/mobile/gregak/if-youre-not-measuring-
advertising-effectiveness-through-rcts-youre-doing-it-wrong-102417409) I would
be interested to know what you think.

~~~
downandout
Very interesting presentation. The question your research is attempting to
answer is certainly a valid one for major sites, where people might be on the
site anyway without having clicked on a given ad. In my specific case, most of
the sites/offers we market through Facebook ads wouldn't have attracted many
organic visitors, let alone conversions, on their own, so it's not a question
I need to answer. These sites rely almost entirely on paid traffic, and if
they don't get it they are out of business.

The importance of being able to figure out what actually led to conversions is
not lost on me though. One unique technology I created allows us to do
something that I have never seen anyone else in the online marketing world do:
track conversions back to the initial click and ad campaign, even if someone
just texts, emails, or uses an instant messenger to send the URL to a friend.
So let's say someone visits the site, sees that the offer isn't for them but
texts it to a friend. A month later, that friend finally gets around to
looking at it, but decides it isn't for them either but knows someone else who
might be interested, and they email it to someone else, who ultimately
converts. We can track that conversion and all the steps in between back to
the initial click and attribute it to the initial ad campaign, which gives us
a much better sense of what each ad campaign is actually producing. The
technology also lets us create custom Facebook audiences of anyone that has
shared a link from the site - regardless of how they shared - text, email,
Facebook - doesn't matter. We can then customize campaigns to encourage those
people to share again.

~~~
DeGi
If close to 0 of your traffic is organic, then you don’t have to care too much
about the whole correlation vs. causality problem, yes.

What you describe is certainly interesting. I guess you are building a graph
of unique IDs, with each shared URL containing the ID of the parent as a query
param or something like that?

~~~
downandout
Something like that, yes. When you visit any URL on the site, we use
javascript to rewrite the URL in the location bar with a shortened, unique,
trackable URL. So we know both what URL you came in through, and the new URL
that we then assigned to you. With this we can track every click all the way
back up through the tree to the initial click, even if you just copy/paste the
URL or hit the button on your phone to text the page to a given contact. Where
possible, we also track any link preview engines that visit the URL, so we can
usually tell not just _that_ you shared, but _how_ you shared (skype,
telegram, iMessage, gmail, facebook, twitter, etc.).

I initially wrote this system so that I could retarget through Facebook ads
people that had previously shared viral news articles, but now we have found
great applications for it in ecommerce and lead gen as well.

~~~
DeGi
You wouldn’t know who shared until someone doesn’t actually visit the shared
link, right? Unless I’m misunderstanding something. Also I don’t see how you
would build a custom audience on FB for the people who _shared_ , e.g. by
copy-pasting the URL from the location bar. I see how you would do it on some
javascript event (e.g. page load, click on share button, etc.), but that’s not
the same.

~~~
downandout
Correct, we don't know who shared until someone visits the link. But, we can
build a custom audience _after the fact_ because the Facebook retargeting
pixel lets you pass an arbitrary ID of your choosing with each pixel load (the
variable name is "extern_id" [1]). So when a click comes in on a given URL
that we know had to have been shared, we know what extern_id we gave to
Facebook for the original user that shared the link on the pixel fire back
when they first visited the site. We can then build a custom audience using a
list of those extern_id's for only people that have shared, after the fact.

[https://developers.facebook.com/docs/marketing-
api/audiences...](https://developers.facebook.com/docs/marketing-
api/audiences-api/) \- see "External Identifiers"

------
BLKNSLVR
So, to summarise online advertising:

1\. It has been a vector for viruses / malware / cryptocoin mining

2\. It tracks users activities on the internet without their knowledge to form
a picture of their 'online personality'

3\. It can invade a users privacy by keeping records of personal and / or
intimate details of their online activities

4\. It often uses more bandwidth than the content of the site it's on

5\. auto-play videos

6\. unexpected audio

7\. As per rayvy's comment "everyone does fraud"

As the Joker said "this town needs an enema".

Given that "all the smartest people in the world work for advertising" it's a
remarkable collective of all kinds of failure. And yet it continues to make a
shit-ton of money because it's pretty much the only game in town.

What's the alternative? Word-of-mouth? That requires a product that's good and
useful both now and into the future; not a fad. The growth-rate can also be
glacial for a long initial phase, which needs commitment and passion from it's
developers and management over the long term.

I can't see any revolution on the horizon though. It's going to take an
impossibly sized critical mass of society to protest, and given the number of
people still on Facebook... 'Brands' aren't going to stop advertising for fear
of competitors getting more eyeballs.

I'm going to start an advertising company called Raypenpillidge Sleepwell.

Footnote: Point #3 is separate to point #2 because tracking and privacy
invasion should be considered separately - tracking could be done more openly
with user consent which would mean the level of privacy invasion could be
chosen by the user.

~~~
2sk21
Half serious suggestion: Could we somehow enable individuals themselves
conduct auctions to allow advertisers to access? Imagine being able to say: "I
will accept 10 ads today - you guys figure out what you want to show me".

~~~
pavel_lishin
Assuming we erect such a system, what's my incentive to not use an ad blocker
anyway? I don't want to see ten ads a day, I want to see zero.

~~~
2sk21
Advertisers would pay me to watch the add in its entirety. Consider an
example: timeshare sellers actually pay people to listen to their pitches.

~~~
pavel_lishin
Timeshare sellers are an excellent example, as they're typically scummy,
underhanded, and will try to back out on their already dodgy payment if you
don't take the bait.

------
jaclaz
I seems to me that - besides the specific fraud scheme in the article - there
is something else to be worried about.

From the article:

>The revelation of this scheme shows just how deeply fraud is embedded in the
digital advertising ecosystem, the vast sums being stolen from brands, and the
overall failure of the industry to stop it.

And, more relevant:

>Pixalate’s latest analysis of in-app fraud found that 23% of all ad
impressions in mobile apps are in some way fraudulent.

Now, if the numbers are correct and 23% of ad impressions is fraudulent, it
should mean that either:

1) the firms/brands/whatever that are paying for these ads cannot measure with
a sufficient degree of accuracy the results of these ads

2) they perfectly know that more than 1/5 of their ads expense is having
"null" results but overall they are ok to spend the 100% price for less than
80% "real" impressions

If the first hypothesis is true there is some incompetence around, if the
second, it's business as usual.

I believe more likely the #2 to be true, and since the companies/brands/etc.
insist on it, this 20-25% "surcharge" is a "standard" of sorts.

So,hypothetically , if these frauds would be completely eradicated and the
companies would continue to invest the same amount of money in ads, we are
doomed to see 20-25% more ads than we do now.

~~~
Retric
"Impressions" is a rather meaningless metric.

If A$ = B impressions = C clicks = D sales then the amount of fraud is
irrelevant it's just a question of A$ = D sales from the advertisers
perspective.

~~~
sroussey
Depends. Are the ads direct or banding? Coke ads to have you buy offline for
example, the sales are not so easily tracked.

~~~
Retric
Coke still "just" cares about sales, they simply can't directly measure it as
well and thus use impressions as a proxy for sales. It’s clicks they don’t
nessisarily care about.

------
thijser
This is Mathijs from AppBrain. The app mentioned at the start of the article
used Admob and Adcolony it seems: [https://www.appbrain.com/app/emoji-
switcher-root/com.stevens...](https://www.appbrain.com/app/emoji-switcher-
root/com.stevenschoen.emojiswitcher) and was taken down on October 2nd.
Another app implied in this scheme used 15 ad networks (including Admob,
Facebook Audience Network and Twitter's Mopub) and was just taken down 6 days
ago: [https://www.appbrain.com/app/wheel-of-surprise-
eggs/com.thom...](https://www.appbrain.com/app/wheel-of-surprise-
eggs/com.thomsandapps.wheelofsurpriseeggs)

~~~
thijser
We updated our SDK signatures and now have a public page that shows stats
about apps that contain this malware:
[https://www.appbrain.com/stats/libraries/details/techsnab-
co...](https://www.appbrain.com/stats/libraries/details/techsnab-
code/techsnab-behavior-capture-code)

If you want to check your own device if you have any apps that contain the
code used by this botnet, the latest release of our AppBrain Ad Detector app
will scan for it. It's available on Google Play here:
[https://play.google.com/store/apps/details?id=com.appspot.sw...](https://play.google.com/store/apps/details?id=com.appspot.swisscodemonkeys.detector)

------
makecheck
I’m kind of amazed how much money can be tied up in things that are not well
understood by the _vast_ majority of people who fund those things.

Ad networks. Various products from financial institutions. Cryptocurrencies.
Heck, even app stores (as a developer, if your app was sold to somebody and
Apple/Google’s system was simply broken and somehow they made their cut but
you didn’t, how would you even know?).

At a certain point, it sure seems that people rely on popularity as proof of
proper functionality (i.e. “lots of people seem to use this just fine” =
“nothing can go wrong”). In reality, we should be expecting a lot more: asking
harder questions, demanding more proof of activities, expecting extremely
reliable support, etc. And frankly, a lot of these things should have open-
source implementations to make it even easier to ensure that they work the way
they claim to.

------
0xmohit
> This means a significant portion of the millions of Android phone owners who
> downloaded these apps were secretly tracked as they scrolled and clicked
> inside the application. By copying actual user behavior in the apps, the
> fraudsters were able to generate fake traffic that bypassed major fraud
> detection systems.

So the fraudsters essentially did what Google is best at -- tracking and
making 'use' of the information.

------
tareqak
Google's blog about it: [https://security.googleblog.com/2018/10/google-
tackles-new-a...](https://security.googleblog.com/2018/10/google-tackles-new-
ad-fraud-scheme.html)

~~~
gcb0
a security blog you can only read after enabling javascript for a dozen
domains. Nice one google.

~~~
John_KZ
How silly of you to assume one can deliver 2kb of text without running
thousands of lines of blackbox-javascript on your device and contacting dozens
of servers. Besides, do you have anything to hide? Not running JS would
suggest so, and possible help identify you online as the one guy that doen't
run JS from your IP range. Welcome to the future.

~~~
gcb0
people here can't understand sarcasm :) I had a laugh, then got sad. but
upvoted you anyway.

------
cwkoss
Is Ad fraud a pro-social 'crime'?

Every ad viewed by a bot is one less attempt at adversarially influencing a
human against their will.

~~~
archi42
While this point of view is a neat idea and part of me really likes it, I'm
afraid those people just want to make as much cash as possible. Also, if they
make 750M$, that's 750M$ they deprived other parts of society of (e.g. app
developers who could have had about 5000 more employees).

------
iamaelephant
Gosh I don't know who to feel worse for, the brands who will do anything to
stick their bullshit into my eyeballs or the shitty ad networks that enable
it.

------
mellow-lake-day
That article is an example of outstanding journalism.

It probably required tremendous amounts of writing ability, knowing the
subject matter, spending hours and hours of research, being familiar with the
industry, etc. Doesn't see this much these days. Too bad a lot of journalism
died in 2008/2009 when journalists lost their jobs and newspapers were either
bought by big players or simply went out of business.

~~~
mschuster91
Well, it's Buzzfeed. They have the relative unique business model with their
listicles and other clickbait crap financing their high-quality investigative
journalism.

~~~
dvirsky
What I find a bit weird is that they don't split the brands of the main
Buzzfeed stuff and the more serious journalism.

~~~
mschuster91
IMHO it makes sense for Buzzfeed - the quality stuff makes readers go to the
website, and then the reader can be led to the stuff like "21 Unintentionally
Hilarious Knock-Off Halloween Costumes That Are Just MAYBE Better Than The
Real Thing" in the "Read On" section.

------
z3t4
I have mixed feelings about the ad market. Automated ads is a very nice
business model, compared to trying to get users to pay for your content.
Running ads basically automates your whole sales organization, you do not even
need a sales organization. On the other hand, I forget what's the term in game
theory, but it's a lose-lose game, where the one with the most ads wins, not
necessary the one with the best product. - Forcing competitors to also spend
money on ads. And because it's fully automated - it's easy money for bad
actors.

------
Jach
From the article, here's the list of apps/websites so far:
[https://docs.google.com/spreadsheets/d/1BMJAHOASdeOOYgomSva9...](https://docs.google.com/spreadsheets/d/1BMJAHOASdeOOYgomSva9URZnPZ4ZdPbnyxdpqQH9KgI/edit?usp=sharing)

------
John_KZ
Wow, it's like the way I move my mouse isn't a legit Turing test. What a
shocker.

The real problem is using stupid methods to identify real users. This
adversarial run is reaching it's end state, and you can't tell apart humans
from machines there.

------
1024core
How do these "bots" work? Is there like a big room with lots of Android phones
hooked up to some automated robotic finger for tapping and scrolling? Or are
they using VMs to run some Android emulator and do everything in software?

~~~
nneonneo
A simple ad system shows an ad in an app or page, and when you click on it,
sends a request off to the ad server which causes some ad credit (money) to
change hands - the advertised company gets charged for a click, intermediaries
get a cut, and the app or site owner gets their share.

Unsurprisingly, a site owner is heavily incentivized to click on their own
ads, or have others click on them, in order to pay themselves. To avoid this
the ad server will want to check that the click came from a real human. They
can check by IP (e.g. clicks coming from AWS boxes are probably fraud,
excessively fast clicks are rejected, etc.); by user activity (monitoring
mouse clicks, keyboard entries, dwell time, and a host of other factors); and
by statistical measures (is the ad statistically likely to be clicked on by
the source, based on e.g. language, prior ad preferences, etc.)

The news article makes it sound like the bot owners are gathering usage data
to simulate real human behavior, which they can then pass off as being real
human inputs prior to clicking an ad. Of course, one wonders why they don’t
just instruct these millions of phones to click on ads directly (e.g. in the
background), which would give them access to a huge legitimate pool of IP
addresses.

------
wiradikusuma
TL;DR: Some company acquires apps to track those apps' users' activities so
that the company can simulate the activities in a farm of bot-controlled ad-
enabled phones?

1\. Why don't they just show the ads to real users?

2\. If the real users don't really get to see the ads, isn't this a win for
everyone (except advertisers)?

(I'm not saying I agree with their practices, but just trying to think how
they rationalize their moral decisions).

------
michaelbuckbee
I'm always curious how exactly the fraud detection happens. Is Pixalate doing
network analysis? App Analysis? Could I do the same thing myself with
wireshark on my home network?

~~~
z3t4
Basically all "spyware" traffic is encrypted, you can however see which IP's
users of your network connects to (and some meta-data such as domain name,
protocol and hand-shakes) using for example Wireshark or tcpdump. My guess is
that the fraud is detected by monitoring the traffic on the ad server, see
that a "impression" is registered from their test phone's IP, and by looking
at the phone they affirm that no ad was displayed.

~~~
sdossick
It is functionally trivial to rotate IPs from the "test phones". There are
shady brokers who will sell you Residential IP-based proxy servers (hacked
home machines which will proxy your calls and make them appear to come from
homes all around the world).

~~~
z3t4
I mean in an audit, the test person can install the app on a device he/she has
physical access to. And conclude that his/her phone was registered on the ad
agency logs, yet no ad where shown. The fraudsters could however make it so
the phone only sends fake impressions after a certain amount of engagement, so
that audit/test person would have to play "my little pony" eg the child game -
for one week ...

------
philipodonnell
> More than 15 additional websites involved in the scheme reused the same
> TrackMyShows.tv SSL certificate

Anyone shed light on this? How does one website use another website's SSL
cert?

~~~
detaro
At least the one example they link is delivered over HTTP. If you request
HTTPS instead, the server presents the certificate for TrackMyShows.tv.

~~~
philipodonnell
> If you request HTTPS instead, the server presents the certificate for
> TrackMyShows.tv

But will it successfully connect?

~~~
detaro
No.

------
charmides
Didn't this type of fraud require massive domain expertise?

~~~
gcb0
1\. record all network interaction going out of your MRAID adapter, from your
few, actual users.

2\. replace timestamp and userIDs fields on the network requests you will
replay with Math.random()

3\. Profit!

Seems pretty simple and banal to me.

~~~
stordoff
> userIDs fields on the network requests you will replay with Math.random()

Isn't this _why_ you'd need domain expertise? Random User IDs would be
detectable - a French user suddenly clicking on English ads and following East
Coast time would be a red flag.

~~~
gcb0
the beauty is that everyone want to do re-attribution, so they can buy cheap
and sell expensive.

if I send a bid to google with a random browser id, it will assign a new user
on the spot (we wont be lucky to match a valid user as in your example) and
all goes on normally.

------
homero
I don't get why they spoof other apps. They have many real users/traffic to
hide fake ads into. Hiding the ad is another story.

------
puranjay
It's ironic that one of the top comments on this page is a bot account
pitching a "work from home" opportunity

------
rustcharm
700,000 apps were removed for fraud? This probably means most of the free apps
you see are shady ad-scams!

------
monochromatic
I wonder how plausible something like this is on Apple’s App Store.

