
Ad Fraud Scheme Drained Users’ Batteries By Running Hidden Video Ads In Android - occamschainsaw
https://www.buzzfeednews.com/article/craigsilverman/in-banner-video-ad-fraud
======
hannob
It is interesting how this article starts. A guy has an app which drains users
batteries. But it's not his fault of course, because it's the ad company.
Except the ad company says it's not their fault, because the ad came from some
other company.

This fingerpointing points to one of the core problems of the ad industry:
They created a system where nobody knows who's responsible for anything, so
malware and fraud has an easy time.

But this mode of thinking makes no sense. If you put ads in your app _YOU_ are
responsible. If you use an ad service from a shady company that outsources to
other shady companies then you're still responsible.

~~~
manigandham
Adtech companies know exactly who is responsible. Every ad on any serious
network is approved before going live. Every single auction is logged, that's
just basic tracking and necessary for billing anyway.

The problem is that there are no serious consequences in this industry. Ad
fraud isn't a technical problem, it's a business problem, one that most
companies are not incentivized to solve or prevent.

~~~
crankylinuxuser
If companies are "people" in the legal sense, why isn't there a 'corporate
death penalty' for utter gross violations that would get real humans locked in
a case for decades?

Is the CFAA only for fleshers? Why so?

~~~
manigandham
I don't know about all that.

The "why" is because it's a 12-figure global industry including two of the
most valuable companies in the world with unlimited resources and lobbying
power, combined with highly technical mechanics and a complex network of
business relationships that no politicians have any real understanding of.

I must add that there's also a (sometimes irrationally) strong reaction by
those politicians and many others to working with anyone in adtech to even
attempt to solve these problems which clearly doesn't help.

------
ChuckMcM
From the article -- _which will see more than $20 billion stolen this year._

Think about the number in that article for a minute, $20 BILLION dollars
"stolen" last YEAR.

How many places are there in the world where you can steal over a billion
dollars from them, and they won't hunt you down and kill your family? A
nation-state? Nope they will send their intelligence service after you. A drug
cartel? Don't even get me started, this is the same scale of numbers that drug
cartels earn[1]

And since there is no "War on Ad Fraudsters", no departments dedicated to
hunting down and arresting 'kingpin' Ad hackers, why would you sell drugs when
you can make about the same amount, so much more safely? When you figure all
the expenses you _don 't_ need, the bribes, the security forces, the
underground tunnels, even going out and acquiring product. This is so much
better way to stealing money.

[1] _the estimate, from the Justice Department, that Colombian and Mexican
cartels reap $18 billion to $39 billion from drug sales in the United States
each year._ \--- [https://www.nytimes.com/2012/06/17/magazine/how-a-mexican-
dr...](https://www.nytimes.com/2012/06/17/magazine/how-a-mexican-drug-cartel-
makes-its-billions.html)

~~~
stingraycharles
Keep in mind that it’s primarily the publishers that are hurt by this.
Advertisers typically determine what they’re willing to spend on inventory
based on the ROI, which is decreased by ad fraud.

As such, the inventory of “genuine” publishers is devalued as well.

Note that in this sense, a publisher can be both a powerhouse like FB or
Google, or also smaller outlets.

~~~
ChuckMcM
I completely agree, it is perhaps the greatest source of Google's CPC erosion
over the past decade. But the tools available to go after these folks are
limited.

------
zamalek
It's crazy that ads have reached through point where impressions-without-
impressions are lucrative. If I was the type of scumbag to pay large amounts
of money for data hungry ads, I'd be furious. But, they don't care? Are ads
now just a sunk cost with no ROI analysis? Is it like a gym membership?

~~~
drilldrive
I think that the issue here is little to no access to a more detailed
portfolio of the ads ran on your platform, as you are generally going through
a middle-man, which in this case is the scammer by selling to providers on
their front than they are paying you for.

~~~
narrator
I think the issue is that there are lots of number crunchers out there
thinking :

"Well this ad campaign is profitable when we spend $100 on highly targeted
Facebook ads, let's spend $10000... Oh they don't have that many impressions
to sell us..."

"Where are we going to get all those ad impressions from?"

"Shady Bob's affiliate network has millions of impressions to sell us!"

"Great. That should work. The sky's the limit on this ad campaign! We're going
to be rich!"

~~~
jjeaff
You say that as if shady Bob is to be less trusted regarding ad impressions
than Facebook.

Facebook has untold millions and millions of fake accounts that they are not
trying in the least to shutdown. Because they make just as much for an ad
served to a bot as they do for a real user.

------
Reason077
Isn’t the real issue here a technical one with MoPub’s ad platform?

How is it possible that a banner ad can open hidden off-screen views, and play
video ads using a different (fraudulent) publisher ID? Can’t banners be
sandboxed in order to prevent such activity, or at least detect it?

~~~
perlgeek
Or phrased another way, why does a banner need to be anything more than an
image, possibly an animated image?

Everything else screams of abuse and unnecessary tracking.

~~~
Cthulhu_
Simple: Because video ads are more effective, thus providing more sales for
whatever's being advertised and more advertising income. Ad companies are
trying to find the limit of annoyance vs effectiveness, and despite most
people finding video ads and the like annoying, they're proven to be more
effective than static ones.

~~~
pbhjpbhj
They reason they're annoying is because they distract from the content, which
is the reason they're effective, they steal focus.

The ad companies aren't trying to find the limit of annoyance vsc
effectiveness, they're trying to maximise their profit. They don't care about
annoyance, in fact annoyance can actually be positive for brand advertising.

------
sucrose
> He also acknowledged removing the photos and names of people, including his
> cofounder, Tal Melenboim, from Aniview’s website after being contacted by
> BuzzFeed News.

 _Streisand Effect._ Archived version of their "Team" page:
[https://web.archive.org/web/20171004134601/http://www.anivie...](https://web.archive.org/web/20171004134601/http://www.aniview.com/about/)

------
YeahSureWhyNot
I used to date a girl who had a Galaxy S8 from sprint and that phone had most
ridiculous ads like online casino ads, everywhere, even on lock screen.

~~~
haser_au
The 'Peel Smart Remote' app came pre-installed on my old Samsung S6, and it
did the same thing. Lock screen ads and everything.

[https://fossbytes.com/peel-remote-use-remove-smart-
remote/](https://fossbytes.com/peel-remote-use-remove-smart-remote/)

[https://www.androidpolice.com/2017/03/29/peel-remote-app-
ups...](https://www.androidpolice.com/2017/03/29/peel-remote-app-upsets-users-
ton-ads-lock-screen-overlays/)

~~~
DrScump
And their app lies about the scope of devices it can control. For example, it
won't even warn you if your target device outright lacks an IR port before you
install it.

Worse yet, check out the permissions it demands: Calendar (!), Contacts (!!),
Camera, precise Location, microphone, Bluetooth... even _body sensors_!

------
krn
I don't mind Google or Facebook showing ads in their own products, because
that's the only business model that works at their scale and for what their
offer. Imagine the world, in which the access to the most advanced search
engine or social network was only available to the people who can afford to
pay for it.

But I don't support using ad networks in the products that are not big enough
to sell them themselves. Firstly, because it makes those products completely
dependent on third-parties for their own existence. And secondly, because
these products often become proxies for third-party user tracking.

Just let me pay for your product, if I like it enough. Otherwise, I will just
rely on Blokada[1] to protect me from your unwillingness to find a sustainable
business model.

[1] [https://blokada.org/](https://blokada.org/)

~~~
vanderZwan
> _that 's the only business model that works at their scale and for what
> their offer._

Do you have any basis for that claim? Because my impression is that
historically there have been and are plenty of other businesses at their scale
that did/do not need this at all.

~~~
krn
> historically there have been and are plenty of other businesses at their
> scale that did/do not need this at all.

Have we ever had an internet company with over 1 billion active users not
using advertising as its main source of income?

~~~
Nextgrid
Microsoft? Major ISPs and wireless carriers? Basically any company that has a
_real_ product that people need can succeed without advertising.

Maybe the real answer is that Shitbook is just not worth paying for?

~~~
krn
> Microsoft? Major ISPs and wireless carriers?

These are physical businesses, not internet companies.

Bing has ads. Twitter has ads. Reddit has ads.

Yahoo! has had ads since 1990s.

~~~
Nextgrid
How is Microsoft a physical business? They provide services delivered online,
just like Facebook, Google, etc does.

> Yahoo! had ads since 1990s. Twitter has ads. Reddit has ads.

And yet seems like Reddit is the only one doing somewhat good (and even then
the community is pissed off and rightfully so, and without the community
they'd suffer the same fate as the two former ones).

~~~
krn
> How is Microsoft a physical business?

A lot of its income comes from licensing Microsoft Windows and Microsoft
Office, which are physical products.

And where Microsoft competes with Google directly, it often shows ads just
like Google does[1].

[1]
[https://en.wikipedia.org/wiki/Bing_Ads](https://en.wikipedia.org/wiki/Bing_Ads)

~~~
jakear
O365 however does not, in contrast with Google Docs.

------
dschuetz
Why is that even possible to hijack an active ad feed? It implicates that in-
app ads are high risk security-wise. I just can't believe how broken the
infrastructure for web services actually is, and why the companies doing and
serving ads space only act when revenue is at stake. This and many other
things are getting out of hand.

~~~
pdkl95
A lot of people listened to Douglas Crockford when he talked about "The Good
Parts"[1] of Javascript. Unfortunately, very few people also listened to his
warning[2] than mixing foreign Javascript was insecure by design (only proper
trust boundary is the page).

[1]
[http://shop.oreilly.com/product/9780596517748.do](http://shop.oreilly.com/product/9780596517748.do)

[2]
[https://www.youtube.com/watch?v=qfBL2sc2zUU](https://www.youtube.com/watch?v=qfBL2sc2zUU)

------
hrdwdmrbl
My first thought is that this is really Google's problem to fix. How is it
even possible to do this on Android? Or is this also possible on iOS?

~~~
product50
This is irrespective of the OS. Basically, on the webview, they are running a
downloading and running hidden video with all the trackers going off.

~~~
whalesalad
Not necessarily. You can’t run wild on iOS.

~~~
underwater
What makes you say that? Ads are generally powered by webviews, and there is
little that Apple can do to determine what is desired behaviour and what is
nefarious. Unless you are suggesting iAds should be the only game in town?

Web standards are introducing resource limits that can be used to prevent this
abuse in the future, but that is not platform specific.

------
philipkiely
"One of the hallmarks of mania is the rapid rise in the complexity and rates
of fraud." \-- Michael Burry, The Big Short (Film)

------
mrweasel
I like how the issue of draining the battery is in title. It indicates that
the actual fraud aspect is less important, and that the issue that we're
really suppose to be upset about is the battery issue.

Directing angre towards the advertising is a little weird too, if there was
less fraud, then maybe the ad buyers be more critical in regards to which ads
they buy and how many they run.

~~~
djhworld
It's a three pronged attack.

The advertiser who's paying for fraudulent impressions, the user who's battery
life is drained, and the app developer who might be getting reports/bad
reviews about the app draining battery life

------
einrealist
There is an interesting podcast about ad fraud and different schemes, on
Software Engineering Daily.

[https://softwareengineeringdaily.com/2019/03/12/ad-fraud-
eng...](https://softwareengineeringdaily.com/2019/03/12/ad-fraud-engineering-
with-praneet-sharma-and-shailin-dhar/)

------
howard941
On unmolested Android an app running in the background causes the o/s to
display an un-closable icon in the notification bar, according to google so as
to help users avoid getting into these background battery-draining situations.
This doesn't absolve the app writer from deploying what's essentially badly-
behaving fraudware.

------
yilugurlu
I guess the advertisers whose video ads run in the background don't care about
ad viewability.

Most of our advertisers require at least %90 of viewability, big brands. But a
still significant amount of them use VAST and don't care about any other
measurement. When we ask them to if they have VPAID tags many times they just
say no, we only have VAST.

~~~
dillondoyle
Seems like an impossible arms race though (to fake viewable) plus it looks
like this fraud was a VPAID container.

VPAID adds a overhead compared to the possibility of a native implemented VAST
player. If there was a way to verify & build trust with pubs/networks to run
vast tags natively, no JS, I would buy that inventory. Newer vast also has a
viewable event, but again is on the pub to specify legitimately hence the
verifiable trust. There's a reason FB gets a lot of my $$

~~~
Macha
Between players, ad network wrappers, third party service wrappers, creative
teams getting the spec wrong, more requests for ad blockers to block etc.,
VPAID is a mess in terms of successful playback though. It's like developer
for early 2000s browsers when you have to test in multiple tools and work
around multiple quirks. I can see why advertisers might not want to bother.

~~~
dillondoyle
I'm with you. I would prefer the much simpler VAST (maybe even change to json
lol) with trusted/verifiable publishers. It can be natively implemented and
not have to call webviews and all kinds of js bloat! I just dont know how to
make that happen. In essence it's what FB offers just using their own internal
video delivery platform.

------
foobar_
You know many programmers are the 1% of the internet, in a way. I think almost
every programmer has an adblocker.

I've been browsing without an adblocker for a while. I really recommend it.
You will see scam after scam after scam ...

And most people, the 99% who don't use adblockers are falling for all these
things.

------
Zak
I am amused that the article detailing a very good reason to use an adblocker
asked me to disable mine.

~~~
mirimir
Hey, there _are_ no ad blockers for apps, right? Messing with other apps is a
ToS violation for both Google and Apple, as I recall.

Edit: OK, you can. But not with other apps from the official stores.

~~~
shtam
You can with Adguard

~~~
cinquemb
Thanks for this, installing this on both me and my wife's phones.

------
phkahler
“I don’t even think about me being ripped off,” Julien told BuzzFeed News.
“All I think about is them damaging the app’s reputation. It can cost money to
[a user] and drain his battery.

We need more of that attitude in the world. So many companies try to make a
buck doing things that ultimately damage their reputation. Once that's gone
it's all down hill.

------
product50
This is why advertisers flock to Google and Facebook Ads. You can call them a
lot of things but ad fraud is something they take very seriously. A view or a
click on Facebook video ad is most definitively pointing to the real thing.
And just that surety is a good reason to pay some premium.

~~~
radium3d
Google is great but I definitely wouldn't put Facebook ad clicks anywhere near
the quality of Google ad clicks.

~~~
product50
If anything Facebook's clicks are much more reliable than Google's since
Facebook shows almost all its ads on its O&O properties where there is 0
potential for fraud. A lot Google's mobile ads are via AdMob which are shown
on third party apps which Google doesn't own - which can lead to scenarios
where the publisher may be upto some mischief.

~~~
radium3d
AdMob is O&O by Google. I would say mischief is doable on both platforms since
it is up to the developer to implement either SDK within their apps. This is
why it is important to monitor conversion rates and be selective as to which
apps your ads appear on. You could select Google's apps only for example.

~~~
product50
You don't know the definition of O&O. Please get a sense of what you are
debating about before typing away.

O&O means that the app/site where, in this case, the ad is shown is owned and
operated by Google. That is absolutely not true for AdMob.

~~~
radium3d
No, I do know the meaning of owned and operated. What I stated is true as
well, admob is O&O by Google. Facebook ads can appear on non O&O content the
same as admob via their audience network. Both networks have options to
advertise on just their O&O website or apps. Do you understand now?

~~~
product50
Comparing AdMob to Facebook Audience Network is like comparing a lemon to a
watermelon. Majority of FB's display revenue comes from ads on their own
properties. This is not true for Google where their display network dominates
their display ad spend.

Anyways, the fact that I have to explain all these things tells me you are
pretty new to this and don't understand things deeply enough to have this
debate. I will sign off.

~~~
radium3d
You need to readjust your experience meter.

------
cwkoss
Would be great if ad networks would stop letting random companies embed
whatever js they want.

There is no reason a banner ad should have this capability. Twitter's MoPub is
showing their negligent greed.

That being said, draining video ads budgets is probably a pro-social 'Robin
Hood' kind of theft.

------
llukas
Another reason to cut all ads alike.

------
Radle
"Aniview denies any involvement and instead says the platform and banner ads
and code, which were created by one of its subsidiaries, were exploited by a
malicious, unnamed third party."

The Bucket has to stop somewhere...

------
tobyhinloopen
TIL Ad fraud is fine, just don't drain our precious batteries?

~~~
TeMPOraL
Gangsters shooting gangsters isn't fine either, but regular people worry
mostly about collateral damage.

------
rizzin
Embedded automatically played videos are a scourge upon Internet.

~~~
concerned_user
Also amount of ad space on news sites should be regulated, i.e. > 30% of
screen space is meaningless pictures/ads/promo - not a news site.

------
h1rschnas3
One more reason to use AdGuard on Android.

------
myth17
How are they making money by draining batteries?

~~~
senectus1
the answer is in the Title of TFA: This Giant Ad Fraud Scheme Drained Users'
Batteries And Data By Running Hidden Video Ads In Android Apps

~~~
dang
The originally submitted article didn't have that title (see
[https://news.ycombinator.com/item?id=19459834](https://news.ycombinator.com/item?id=19459834)).

------
randomfinn
The link is blog spam, original article is at
[https://www.buzzfeednews.com/article/craigsilverman/in-
banne...](https://www.buzzfeednews.com/article/craigsilverman/in-banner-video-
ad-fraud)

~~~
dang
Thanks. Url changed from [https://www.theverge.com/2019/3/22/18276542/scam-
hidden-vide...](https://www.theverge.com/2019/3/22/18276542/scam-hidden-video-
ads-android-app-drain-batteries-data-cpu-cycles).

Submitters: please read and follow the guidelines. They include: " _Please
submit the original source. If a post reports on something found on another
site, submit the latter._ "

[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

~~~
occamschainsaw
Sorry about that, will keep it in mind for future posts.

------
AngryData
Advertising is a scourge upon society.

~~~
kbenson
> Advertising is a scourge upon society.

I understand where you're coming from, but that's painting with a pretty broad
brush. Advertising covers everything from the signage stating the name of the
mom-and-pop shop on the corner (which is why cities often limit the size of
logos/names on building) to billboards on the side of the freeway. It covers
movie trailers I seek out ant watch to see what's coming soon to commercials
interspaced within a video that interrupts the flow.

I hate some of those, but i actively like, or at least value the utility of
some of the others. A specific type of advertising has grown outsized that
last couple of decades, and it's causing real problems. But let's not paint
with too broad a brush just because we're fed up. That's how stupid laws get
passed.

~~~
snarfy
I'm not against advertising, but I am against branding. The term was borrowed
from the cattle industry, where a hot piece of metal scars the cattle with a
logo of the owner. Branding in advertising is meant to scar your brain. I
consider it a form of assault.

~~~
marcosdumay
You mean those laws that allows companies to get a reputation with their
clients without a scammer being able to legally exploit it and confuse
everybody?

~~~
hutzlibu
Branding is ok. What I think is not OK but totally normal, is branding
combined with advertisement. The name of the brand combined with all the
perfect, beautiful and fun things of the world, so your name associates the
brand with all the nice things. That is lying to me and I hate that it is the
norm.

~~~
marcosdumay
Oh, ok. You dislike brand advertising, that's reasonable.

I don't know if it's viable to separate good brand advertise (our soda tastes
good, our bags last forever) from the bad kind (use our product and get all
the pretty woman). Some regulation over emotional tone (and, of course, false
info) may be much more successful than focusing on brands vs. unitary
products.

~~~
hutzlibu
I would not regulate it at all. I hope for more people to understand what is
happening with their brains. Once you do understand it does not affect (as
much). But with kids these days entrenched in their smartphone virtual reality
consuming custom tailored ads .. the trend is unfortunately downwards.

