Hundreds of Popular Android Apps Part of Multimillion-Dollar Ad Fraud Scheme ⇥ buzzfeednews.com

Craig Silverman, Buzzfeed:

Last April, Steven Schoen received an email from someone named Natalie Andrea who said she worked for a company called We Purchase Apps. She wanted to buy his Android app, Emoji Switcher. But right away, something seemed off.

[…]

Schoen had a Skype call with Andrea and her colleague, who said his name was Zac Ezra, but whose full name is Tzachi Ezrati. They agreed on a price and to pay Schoen up front in bitcoin.

“I would say it was more than I had expected,” Schoen said of the price. That helped convince him to sell.

A similar scenario played out for five other app developers who told BuzzFeed News they sold their apps to We Purchase Apps or directly to Ezrati. (Ezrati told BuzzFeed News he was only hired to buy apps and had no idea what happened to them after they were acquired.)

Giant klaxons are already blaring in my head and this doesn’t even concern the actual — you know — fraud part of the story. The ability to migrate apps and their entire user bases to different developers is an alarming security risk, particularly with the broad use of automatic update mechanisms. This reminds me of when the Stylish browser extension was sold to a new owner that immediately saddled it with spyware. Users should be made fully aware of an ownership change and some sort of action on the user’s ought to be required for them to update to a newer version of the software.

Silverman:

One way the fraudsters find apps for their scheme is to acquire legitimate apps through We Purchase Apps and transfer them to shell companies. They then capture the behavior of the app’s human users and program a vast network of bots to mimic it, according to analysis from Protected Media, a cybersecurity and fraud detection firm that analyzed the apps and websites at BuzzFeed News’ request.

This means a significant portion of the millions of Android phone owners who downloaded these apps were secretly tracked as they scrolled and clicked inside the application. By copying actual user behavior in the apps, the fraudsters were able to generate fake traffic that bypassed major fraud detection systems.

[…]

App metrics firm AppsFlyer estimated that between $700 million and $800 million was stolen from mobile apps alone in the first quarter of this year, a 30% increase over the previous year. Pixalate’s latest analysis of in-app fraud found that 23% of all ad impressions in mobile apps are in some way fraudulent. Overall, Juniper Research estimates $19 billion will be stolen this year by digital ad fraudsters, but others believe the actual figure could be three times that.

In other forms of advertising, spots are pre-sold for a specific fee based only on an estimated audience. If yet another vacuum-packed mattress company buys ads in an episode of a podcast, it doesn’t matter whether that episode is downloaded ten thousand times or a hundred thousand times — the mattress company will have paid the same price for that spot. Sponsoring later episodes might cost them more if there are an increasing number of listeners, or the podcaster may cut them a deal for multiple sponsorships, but there isn’t a real-time bidding scheme. It’s the same for print and television. Effectiveness in terms of action taken is harder to measure directly, but that encourages advertisers and creative firms to make something eye-catching and memorable.

For most online advertising, though, this is completely backwards: advertisers are charged and ad placements are paid out based on how many views or clicks there have been, not how many there are expected to be. This makes it much harder to differentiate fraudulent behaviour from honest views. It typically requires more tracking in order to be able to model real human behaviour — something that was defeated in this case. And, according to a recent report produced for Radiocentre — a trade group for British commercial radio stations — online ads of all types are completely ineffective (PDF).¹

In general, the incentives of online advertising encourage fraud, clickbait, and spyware. This will continue to be the case so long as these ads are behaviourally targeted, and are paid for based directly on the number of views and clicks.