Apps Installed On Millions Of Android Phones Tracked User Behavior To Execute A Multimillion Dollar Ad Fraud Scheme

A new investigation uncovers a sophisticated ad fraud scheme involving more than 125 Android apps and websites, some of which were targeted at kids. From a report: Last April, Steven Schoen received an email from someone named Natalie Andrea who said she worked for a company called We Purchase Apps. She wanted to buy his Android app, Emoji Switcher. But right away, something seemed off. "I did a little bit of digging because I was a little sketched out because I couldn't really find even that the company existed," Schoen told BuzzFeed News. The We Purchase Apps website listed a location in New York, but the address appeared to be a residence. "And their phone number was British. It was just all over the place," Schoen said. It was all a bit weird, but nothing indicated he was about to see his app end up in the hands of an organization responsible for potentially hundreds of millions of dollars in ad fraud, and which has funneled money to a cabal of shell companies and people scattered across Israel, Serbia, Germany, Bulgaria, Malta, and elsewhere.

Schoen had a Skype call with Andrea and her colleague, who said his name was Zac Ezra, but whose full name is Tzachi Ezrati. They agreed on a price and to pay Schoen up front in bitcoin. "I would say it was more than I had expected," Schoen said of the price. That helped convince him to sell. A similar scenario played out for five other app developers who told BuzzFeed News they sold their apps to We Purchase Apps or directly to Ezrati. (Ezrati told BuzzFeed News he was only hired to buy apps and had no idea what happened to them after they were acquired.) The Google Play store pages for these apps were soon changed to list four different companies as their developers, with addresses in Bulgaria, Cyprus, and Russia, giving the appearance that the apps now had different owners.

But an investigation by BuzzFeed News reveals that these seemingly separate apps and companies are today part of a massive, sophisticated digital advertising fraud scheme involving more than 125 Android apps and websites connected to a network of front and shell companies in Cyprus, Malta, British Virgin Islands, Croatia, Bulgaria, and elsewhere. More than a dozen of the affected apps are targeted at kids or teens, and a person involved in the scheme estimates it has stolen hundreds of millions of dollars from brands whose ads were shown to bots instead of actual humans. (A full list of the apps, the websites, and their associated companies connected to the scheme can be found in this spreadsheet.)

One way the fraudsters find apps for their scheme is to acquire legitimate apps through We Purchase Apps and transfer them to shell companies. They then capture the behavior of the app's human users and program a vast network of bots to mimic it, according to analysis from Protected Media, a cybersecurity and fraud detection firm that analyzed the apps and websites at BuzzFeed News' request. This means a significant portion of the millions of Android phone owners who downloaded these apps were secretly tracked as they scrolled and clicked inside the application. By copying actual user behavior in the apps, the fraudsters were able to generate fake traffic that bypassed major fraud detection systems. Response from Google.

Cry me a river...

[Anonymous Coward]

One parasite ripping of another...

Re:Cry me a river...

[MrMr]

Exactly that, one company selling something it doesn't own to another company on false pretenses. As far as I can see it's more an implementation of the electric monk https://www.urbandictionary.co... [urbandictionary.com] for advertisement than a case of fraud.

Re:

[thsths]

Exactly. Google is enabling app developers to spy on users, app developer abuses this to defraud Google. I guess that is what you get if you drop "Don't be evil".

Google ads

[110010001000]

I wonder what percentage of Google ad impressions are from fake views. You would think a significant percentage of people have adblockers by now.

Re:

[110010001000]

Can't you block adwords ads too? I haven't seen one in a long time.

Re:

[110010001000]

You sure seem to know a lot about Google, snowflake.

DIsable Auto-Update

[crow]

Google and Apple should disable auto-update on apps that change owners. If you want an update after the app has changed owners, you should at least be aware of the change, which would cut way down on this type of scam.

Re:

[jbmartin6]

App auto updates should be disabled period. Who needs to burn bandwidth downloading a bug fix for some other phone model?

Re:

[olsmeister]

Certainly you, as someone who knows what they're doing, should be able to disable auto updates. I guess after that the discussion becomes should they be disabled by default, knowing that millions of other people will never update anything on their own and become infested with malware and spread it as security holes are discovered in older version of popular apps.

Re:DIsable Auto-Update

[jbmartin6]

The threat level for malware delivered via vulnerabilities in *already installed APPS* is almost non-existent. Meanwhile the threat from malicious updates continues to grow. Just talking about apps here, not the core OS and services. When was the last time someone got malware due to a vulnerability in Super Fun Solitaire? There is some wiggle room however, some apps perhaps we might want auto-update, like browsers. But the vast majority of them don't benefit from updating from either a user or security perspective. Ideally we would have a perfectly reliable curator deciding which apps are a benefit to auto-update. Well, we can dream.

Re:

[TheFakeTimCook]

Google and Apple should disable auto-update on apps that change owners. If you want an update after the app has changed owners, you should at least be aware of the change, which would cut way down on this type of scam.

I don't know about Google, but on iOS, I personally have NEVER seen an App just "AutoUpdate". They ALL just gang-up WAITING to be MANUALLY Updated. I realize you CAN tell iOS to Auto-Update Apps (and who would?!?); but the default is WISELY "OFF", and you have to dig around in Settings to Enable it.

https://9to5mac.com/2013/09/20... [9to5mac.com]

Perhaps on Android, either there IS no Setting, or the Default is IDIOTICALLY set to "Enabled"...

Ah, I see: Good ol' Google: Always looking-out for the User... NOT:

https://www.ho [howtogeek.com]

Re:

[pnutjam]

Android is the same, I have auto-update turned off and I review the change logs before updating.

Google is big ass for putting "updates and bugfixes" in 90% of their change logs.

Re:

[TheFakeTimCook]

Android is the same, I have auto-update turned off and I review the change logs before updating.

Google is big ass for putting "updates and bugfixes" in 90% of their change logs.

With no due Respect, Android is NOT the same in a VERY significant way:

On iOS, Auto-Update is "Opt-IN". The DEFAULT is "OFF".

On Android, Auto-Update is :"Opt-OUT". The DEFAULT is "ON".

Knowing that MOST users don't closely examine EVERY one of Dozens of OS and App Settings, both Companies clearly state THEIR proclivities in this (and many other) matters regarding "Security".

Now, argue against THAT logic. I dare you.

Re:

[pnutjam]

I can't help the majority, and I don't have any experience with IOS aside from ipads my kids have to use. There are plenty of things I find frustrating in IOS, chiefly the way they tie you into their ecosystem. You can't create child accounts (under 18), without an IOS device with an adult account. Itunes and web interfaces won't suffice. They can only be managed by another IOS device, so every child of mine's Ipad has an account claiming they are over 13. (School says I am the account owner so it should be

Re:

[TheFakeTimCook]

I can't help the majority, and I don't have any experience with IOS aside from ipads my kids have to use. There are plenty of things I find frustrating in IOS, chiefly the way they tie you into their ecosystem. You can't create child accounts (under 18), without an IOS device with an adult account. Itunes and web interfaces won't suffice. They can only be managed by another IOS device, so every child of mine's Ipad has an account claiming they are over 13. (School says I am the account owner so it should be my age, but I don't want the kids exposed to app behavior targeting adults). Secondly the fact that IOS can't be setup properly without some sort of payment method on file.

Android sucks too, but I know how to manage it. The settings are mostly there (but quit setting my location to scan wifi and cell towers assholes). I turn stuff off and keep only what I need enabled.

I won't let loose with both barrels, because you admitted that you had almost no knowledge of iOS.

I will counter that by admitting I have no kids; so therefore very limited knowledge of the specifics regarding iOS and kids.

HOWEVER, I DID find this in .5 seconds of Googling:

https://support.apple.com/en-u... [apple.com]

https://discussions.apple.com/... [apple.com]

Perhaps, next time, you might try something like a simple Google search before you assume iOS simply "doesn't allow that".

Re:

[pnutjam]

Well, your first link is setting up an Apple ID, which does not require a payment method. Now try to use that apple ID to install anything free on your Ipad...
I'll wait...
(spoiler, you need to put in a payment method).

Your 2nd link flat out agrees with me, the first guy says, "this is how you do it". Every post after that is, "uh, your wrong, I don't see it", or "I think you can't do it from the website."

I've been through tons of hoops on this, even talked to a lawyer at the EFF. Apple has a program

Re:

[TheFakeTimCook]

Well, your first link is setting up an Apple ID, which does not require a payment method. Now try to use that apple ID to install anything free on your Ipad...
I'll wait...
(spoiler, you need to put in a payment method).

Your 2nd link flat out agrees with me, the first guy says, "this is how you do it". Every post after that is, "uh, your wrong, I don't see it", or "I think you can't do it from the website."

I've been through tons of hoops on this, even talked to a lawyer at the EFF. Apple has a program to allow schools to create an actual child ID, but my school refuses to participate. Even though the ID is not managed by the school and the school district next door appears to participate. I've given up on it because I was becoming that problem parent and I have other concerns.

Ok, well maybe I stand corrected. I am willing to believe that you have researched this further than my 10 minutes...

It sounds like Apple does have sort of a catch-22 problem with Child IDs.

It also sounds like the IT or some Administrative Asshole at your School District needs to have a knot jerked in his tail; even if there is a "hole" in the Child ID signup "rules", Apple has provided "a way out", and it is ultimately YOUR SCHOOL DISTRICT that is the stumbling-block.

You need to go to your local TV station

Re:

[crow]

No, but it often does. It would mean that instead of just buying apps, they would have to buy the entire accounts, which would make it a bit harder for them.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[TheFakeTimCook]

I downloaded a flashlight app a while ago. It wanted access to every single feature on my phone, including my contacts and flash storage. All it does is turn the flash on. It's got adverts on it.

I don't use apps at all on my phone. I'm one of the very few people I know that use their phones for calling and texting. Even then I'm dubious about the bundled apps, many of which I can't even delete.

Sounds like you should migrate to the Other Side (iOS).

It's REALLY nice to NOT have to worry about all that shit (and, BTW, you CAN delete (not just HIDE) ALL, or nearly ALL, the intrinsic Apps on iOS).

Google Play Store is fraud central

[illiac_1962]

Looked into a popular anime app called GACHA by lunime.com. It draws kids into an online community and they have quite the portfolio of apps on the store. Whois: blank Godaddy: generic details (no real name etc) Found the physical address registered with GoDaddy. Google Earth, nothing. So the people who produced all of these apps targeted at young kids doesn't want to be found? How much of this is going on? I tried to find out what endpoints, if any, these apps were hitting. Good luck unless you want to

Re: Google Play Store is fraud central

[illiac_1962]

Kids. Whole neighborhood of kids are using the apps.

Are we trusting BuzzFeed again?

[mi]

Are we to assume, BuzzFeed have moved on from the "Find out what kind of pizza you are" and unsourced anti-Trump hit-pieces to actual credible journalism? Skeptical as I am of Google, BuzzFeed has an even longer way to go to credibility...

Re:

[93 Escort Wagon]

Actually, Buzzfeed does have a seriously good news group. Unfortunately, funding for that group is generated by a much larger group - which is the one responsible for the crap most of us normally associate with the name "Buzzfeed"...

Re:

[Ol Olsoc]

Are we to assume, BuzzFeed have moved on from the "Find out what kind of pizza you are" and unsourced anti-Trump hit-pieces to actual credible journalism? Skeptical as I am of Google, BuzzFeed has an even longer way to go to credibility...

In Soviet America, truth is based on your opinion of the source.

Re:

[Torvac]

when you read " ... an investigation by BuzzFeed News " it means somebody somewhere investigated something, then buzzfeed news found that investigation and copied it now claiming they investigated that.

Internet advertising is fake and has never worked

[alternative_right]

Since this landmark study [comscore.com] came out, the internet industry has been in a low-grade panic because the data shows that its ads do not work and thus, its numbers are all fake. People online do not respond to ads as people on television or reading a newspaper do; they simply tune out the noise. Ever since then, these companies have been directly or indirectly faking their numbers, because they know when the real numbers come out, the Big Tech game is up and they all go back to managing Windows networks at donut shops in small midwestern cities.

Re:

[Anonymous Coward]

the study is ACTUALLY just saying that using clicks on a ad as a measure of success is not meaningful, NOT that digital advertising is fake and doesn't work

that study came out in 2009 - digital advertising spend is multitudes higher then what it was in 2009 - nothing within the reply you posted is useful or true.

Re:

[aybiss]

The truth still is that NO advertising, digital or otherwise, makes people buy things. None.

Re:

[Ol Olsoc]

Ever since then, these companies have been directly or indirectly faking their numbers, because they know when the real numbers come out, the Big Tech game is up and they all go back to managing Windows networks at donut shops in small midwestern cities.

Good.

Perhaps we can rid the internet of part one of it's toxic presence.

Next up will be Microsoft and their malware emulating updates.

Internet advertising is fake and walls work.

[Ostracus]

Fine with me. We can all go back to what works. Paywalls!

surprised

[Putra.kusuma]

I am surprised that there are still frauds of this type

Oh no, somebody told a lie?

[aybiss]

Advertisers must be horrified at the prospect that someone could lie to them. Like actually lie. In broad daylight. With nobody stopping them. Wow!