Over 5,000 mobile apps found performing in-app ad fraud

Of the $20 billion projected to be spent by advertisers on mobile advertising in 2015, $1 billion will effectively be lost due to in-app ad fraud, warns ad fraud detection and prevention company Forensiq.

As more and more users surf the Web from their mobile devices, many advertisers have switched to showing their ads to that particular, continually growing subset of people.

Forensiq researchers have discovered a new type of ad fraud called mobile device hijacking, and have uncovered over 5,000 mobile apps used to perpetrate it.


“While most desktop malware is installed unintentionally via deceitful techniques, most mobile apps are installed intentionally. Consumers trust what they are getting: mobile apps exist in an official app store, may receive many positive reviews, and provide entertainment or utility,” they noted.

“These apps run constantly, even when not actively in use, serving thousands of invisible ads every day on a single device.”

Users on whose mobile devices these apps were installed are usually oblivious that anything untoward is happening as they don’t see most of the ads. At best, they might notice that their device’s battery is draining faster than before, or that they hit their data limit a lot faster than usual.

“A typical malicious app installed on a single device can download 2GB of data per day consisting of text and application data used to communicate with exchanges and data providers, as well as images and videos that are never seen,” the researchers pointed out.

The numbers of affected devices is staggering: 12 million unique devices flagged in just 10 days (1% of all US devices, 2–3% of all devices in Europe and Asia). The malicious apps are present and are offered for download on third party app marketplaces, but also on Google Play and Apple’s App Store.

They are usually games, and not the highly popular ones. Still, during their research, they discovered another problem: popular apps that do not display ads, but their IDs still appear to have a considerable presence in the in-app programmatic marketplace (e.g. Wickr and Blackberry’s BBM).

“We suspect that these legitimate apps are victims of app spoofing – a deceptive tactic by which the publisher or mobile advertising platform may modify the app headers passed to the exchange in order to misrepresent the true identity of the app generating the inventory,” they explained.

The biggest problem for app markets and advertisers is that as soon as one of these apps gets flagged and removed, another one pops up. They also have the same problem that end users have: antivirus software does not detect these apps as malicious.

Before opting to install an app, it’s a good idea for end users to check the permissions it asks and read other customers’ reviews.

If the app requires unusual permissions that are not needed to perform the advertised actions and functions, and if the reviewers complain about the app draining their battery and/r bandwidth, it’s best to refrain from installing it.

It’s also a good idea to go through your phone once in a while, and delete the apps you are no longer using.