Oracle has uncovered an ad fraud operation it calls “DrainerBot,” which siphoned off ad dollars and monthly data packages.
Oracle’s internet infrastructure business Dyn originally discovered the operation after it picked up suspicious activity among some mobile apps using an SDK from Tapcore, a Dutch mobile monetization company. The apps obscured web data with proxy servers and loaded suspicious ads.
AdExchanger reached out to Tapcore via its website, but hasn’t received a response.
Tapcore’s SDK is supposed to run in the background of an app and only activate if the user downloads a pirated version of the original app. It would allow the original developer to serve ads into the pirated app if the user downloaded a ripped-off, ad-free version of a mobile game, for example.
But Tapcore was also using its SDK to generate fake ad impressions, using a bogus browser it side-loaded into the app that wasn’t visible to the user.
“The side-loading phenomenon is something we have to keep an eye on,” said Dan Fichter, the data cloud’s VP of software engineering and former CTO of Moat, another Oracle business that was enlisted by Dyn to understand the dubious server activity. “As a general pattern it’s a way in which fraudsters can get well-intentioned developers to work on their behalf.”
The DrainerBot ads may have been hard to identify as illegitimate, but the software directly affected people’s phones and monthly data rates. With the fake browser running in the background, phones with the Tapcore SDK drained battery and data, Fichter said.
Oracle worked with the Trustworthy Accountability Group (TAG) and Google, which housed some of the affected apps on its Android operating system and Play Store, to mitigate ad spend on Tapcore apps while it scrutinized the operation.
“This is becoming a nice trend where some of these more sophisticated tech companies are now able to identify and track major botnets,” said Mike Zaneis, TAG president and CEO. “It takes time though, and we’re developing this ability to make our members aware of the issue and protect the market while a botnet is being tracked.”
Previously, exposing ad fraud operations was like nailing smoke to a wall. But with better technology and more players in the ecosystem willing to collaborate on fraud prevention, companies like White Ops, Google and DoubleVerify – not to mention the FBI – have exposed a string of ad fraud schemes in recent months.
“People are good at tracking fraud but see different slices of the ecosystem,” Zaneis said.
Fichter said the combination of Moat and Dyn was critical for exposing the DrainerBot operation and for Oracle’s fraud prevention approach. Dyn focuses on infrastructure-level internet security threats while Moat addresses transparency and ad fraud.
“Having the threat research teams making discoveries like [DrainerBot] that use advertising is hugely useful,” he said. “And it works the other way as well. Computers and devices that are compromised and used for ad fraud could be used for something else tomorrow.”
