In order to fight 'invalid traffic' that isn't meant to generate ad revenues, Google uses several filters and machine learning models. It also collaborates with advertisers, agencies, publishers, ad tech companies, research institutions, law enforcement, and other third-party organisations to locate potential threats. Yet, as per a recent report, apps installed on millions Android devices were able to track user behaviour and carry out a massive multimillion-dollar ad fraud scheme. According to the investigation, the fraud allegedly involved 125 Android apps and websites. However, Google has responded to the issue by removing and blacklisting several apps and websites involved with the scheme.
Earlier this week, folks at BuzzFeed News uncovered the ad fraud where cybercriminals were using more than 125 popular Android apps and websites to track user behaviour and earn millions of dollars through ad views/ clicks. The report said that a front company called 'We Purchase Apps' would buy legitimate and popular apps, available on Google Play, from developers. Those apps would then get their ownership transferred over to shell companies that would continue to manage the apps. Also, they were found to be analysing user behaviour and interactions with the apps. Some of these apps were shown to be targeted at children.
The report explained that these shell companies were running the purchased apps same as before to avoid any additional scrutiny. Meanwhile, they would be analysing the behaviour of the app users. Protected Media, a cybersecurity firm told BuzzFeed that the collected data was used to create a botnet system that would pretend to be actual users. Using the huge number of botnets, the cybercriminals managed to show an inflated number of users to advertisers. Clearly, Google's and advertisers' fraud detection tools could not catch them. The apps have a combined download of more than 115 million, the report claimed.
The criminals managed to reap millions of dollars in ad revenue from companies paying to advertise with in-app ad networks. It is a shrewd system as it can hide invalid bot traffic amidst regular user data, making it tougher for anti-fraud systems to identify.
Meanwhile, Google was informed about the fraudulent scheme by BuzzFeed News, following which, it claims to have removed the apps. Further, the company has also blacklisted additional apps and websites that are outside of its ad network, so that advertisers using Display and Video 360 do not buy any of the traffic. In an official blog post, Per Bjorke, Product Manager, Ad Traffic Quality, Google, said, "While our analysis of the operation is ongoing, we estimate that the dollar value of impacted Google advertiser spend across the apps and websites involved in the operation is under $10 million. The majority of impacted advertiser spend was from invalid traffic on inventory from non-Google, third-party ad networks."
Bjorke also noted that the reported fraud is allegedly utilised by the same group that generates web-based traffic using a botnet called 'TechSnab'. He said that Google and other companies have been tracking the botnet for a long time.