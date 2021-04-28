Nearly 30 Android and Roku apps hijacked phones to defraud advertisers. Although users never saw the ads, they may have noticed increased data use and slowed performance.

The scammers used the apps distributed in the official Google Play store to build up a network of almost a million compromised Android devices. The "PARETO" botnet then used the phones to issue bogus requests to advertisers while making the devices appear to be Smart TV sets. That was particularly appealing to advertisers because of the belief viewers are more likely to pay attention to an ad on a TV screen than on a phone.

Although the ads were never delivered in a way that would be viewable by the phone owner, the scammers still claimed credit from the advertisers and fraudulently received payments.

This is also known as click fraud where affiliates earn commissions on fake clicks, but is also used to deplete advertisers ad budgets. In the latter case, the ad competition diminishes which results in a lower cost-per-click per advertisement as competitors joust for the first ad position (which typically receives the most clicks).

Mobile Data Disappears

While this might not seem a problem for phone users, each compromised device made an average of almost 650 million bogus ad requests each day. This not only results in slowed down phone performance, but also results in drained batteries while heating up devices. For users on mobile data networks, it could mean running through monthly data allowances inexplicably quickly. (Source: express.co.uk)

Security firm Human, which uncovered the scam, says the following Android apps were used for the scam:

Any Light

Bump Challenge - MultiSport

Carpet Clean

3D Flash Light

Hole Ball

King Light Torch SOS

Mobile Screen Recorder

Save The Balloons

Sling Puck 3D Challenge

Apps Weren't Suspicious

As is often the case, the apps were generally either games or single-function apps such as those which use the phone's camera flash as a torch. Generally such apps work advertised; it's just that users don't know their real purpose.

Human's analysis suggests users would likely have had little reason to realize the apps housed malware. The underlying code would raise alarms among technical experts as, despite being advertised as not including apps, the code referred to connecting to ad-related URLs. It's not clear if or how Google should have spotted this code before allowing the apps into the official store. (Source: humansecurity.com)

