Android apps used in multimillion dollar ad fraud scheme

(Image credit: Image Credit: Pixelkult / Pixabay)

A recent investigation by BuzzFeed News has revealed that more than 125 Android apps were used by cybercriminals in an ad fraud scheme that earned millions of dollars by replicating the behaviour of actual users.

The site found that a company called We Purchase Apps had bought legitimate Android apps from developers to use in the largest advertising fraud scheme to date.

Once the apps were purchased from their creators, their Google Play store pages were changed to list four different companies as their developers with addresses in Bulgaria, Cyprus and Russia to give the appearance that the apps now had different owners. The ownership of the apps was transferred to shell companies in Cyprus, Malta, the British Virgin Islands, Croatia, Bulgaria and elsewhere.

Using legitimate apps for advertising fraud

In total, BuzzFeed News identified 129 different Android apps that were purchased from developers by We Purchase Apps to be used in the ad scheme. The apps have been installed on Android phones more than 115m times and are mostly games but there are also utilities such as a flash light app and even a VPN called Blink VPN.

The apps were still maintained after they were purchased to keep their real users satisfied and to create the appearance of a thriving audience. However, the fraudsters recorded how actual human users interacted with the apps and then used this information to have bots mimic their actions. 

The apps in question were still served ads even though they were mostly being used by bots which earned those behind the scheme close to $10m in ad revenue.

BuzzFeed News alerted Google with its findings and the company has begun to remove the fraudulent apps from the Play Store. Google praised BuzzFeed for sharing its information in a blog post in which it stressed the need for companies to collaborate to counter bad actors, saying:

“Collaboration throughout our industry is critical in helping us to better detect, prevent, and disable these threats across the ecosystem. We want to thank BuzzFeed for sharing information that allowed us to take further action. This effort highlights the importance of collaborating with others to counter bad actors. Ad fraud is an industry-wide issue that no company can tackle alone. We remain committed to fighting invalid traffic and ad fraud threats such as this one, both to protect our advertisers, publishers, and users, as well as to protect the integrity of the broader digital advertising ecosystem.” 

Via BuzzFeed News

Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.