Security researchers disrupt 'sophisticated' Pareto Android ad fraud botnet
Hackers infected Android devices with malware that mimicked millions of connected TV products to generate fake ad views
Researchers from cyber security firm Human Security (formerly White Ops) claim to have uncovered and disrupted a sophisticated fraud operation, dubbed Pareto CTV botnet, in which hackers infected more than one million Android mobile devices to steal revenues from unsuspecting advertisers.
According to the researchers, fraudsters served on average 650 million ad requests a day in online ad exchanges as part of the fraud operation, collecting funds that were meant for apps available on popular streaming-TV platforms run by Roku, Amazon, Google and Apple.
Hackers infected Android devices with software that mimicked millions of connected TV (CTV) products to generate fake ad views.
"Pareto is nearly a million infected mobile Android devices pretending to be millions of people watching ads on smart TVs and other devices. The botnet used dozens of mobile apps to impersonate or spoof more than 6,000 CTV apps, accounting for an average of 650 million ad requests every day," Human Security said in a post.
Twenty-nine Android apps, most available on the Google official Play market, made infected devices appear to be smart TVs, tricking ad providers into believing that the ad views were genuine, although they were never watched by a real person. The researchers also found 36 apps on Roku to be part of the same fraud campaign.
While the apps appeared benign, they included a "software development kit" that generated the faked ad views.
Any Light, a torch app that allowed users to choose different light colours, was among the apps that included the deceptive code. The app has been downloaded more than 10,000 times, according to the Forbes.
Gaming app Sling Puck 3D Challenge, with about 100,000 downloads, was also found to contain fraudulent code.
"Pareto worked by spoofing signals within malicious Android mobile apps to impersonate consumer TV streaming products running Fire OS, tvOS, Roku OS, and other prominent CTV platforms," the researchers said.
"The botnet took advantage of digital shifts that were accelerated by the pandemic, hiding in the noise in order to trick advertisers and technology platforms into believing ads were being shown on CTVs."
"This particular approach is lucrative for fraudsters, as pricing for ads on connected TVs is often substantially higher than pricing on mobile devices or on the web."
According to Human Security's chief scientist Michael McNally, the scale and sophistication of this operation was "especially striking".
"The actors behind Pareto have a fundamental understanding of numerous aspects of advertising technology, and used that to their advantage in how they hid their work within the CTV ecosystem," McNally added.
Last year, researchers from British cyber security firm Snyk said that a software development kit created by China's Mintegral was exhibiting malicious behaviour, stealing revenue from rival ad platforms and exfiltrating user data to servers controlled by its developers.
Snyk researchers claimed that the malicious SDK - dubbed "SourMint" - was present in over 1,200 iOS apps on Apple's App Store - including Helix Jump, PicsArt, Subway Surfers, Talking Tom and Gardenscapes.
Consumer watchdog Which? warned last year that more than one billion Android phones and tablets were vulnerable to hacking as they were no longer supported by security updates.
The report said that about 40 per cent android devices users around the world were no longer receiving important updates, and the most at-risk devices were those that were running Android 4 or older.