Researchers have discovered that thousands of apps in the app stores for Apple, Android, and Windows Phone are running a highly sophisticated and potentially harmful form of advertising fraud.
Fraud detection company Forensiq claims in a report to have discovered a new type of ad fraud called “mobile device hijacking.” A user downloads an app from the official app store — which may look legitimate and have hundreds of positive reviews — which then runs in the background, serving hundreds of ads at a rate as high as 20 ads per minute (most normal apps with ads in would only refresh an ad every 30 to 120-seconds.)
Even when users close the app down, it can still be carrying out fraudulent activities as a background process — some even begin firing off ad requests as soon as the user starts their phone up.
Business Insider has contacted Apple, Google, and Windows Phone for comment. We’ll update this article once we hear back.
This is a concern to users: Forensiq told Business Insider that it observed some apps that were using up as much as 2GB of a user’s data allowance per day. Such behaviour also has a marked impact on a device’s battery life. Forensiq said it flagged some 12 million devices for fraudulent activity.
For advertisers, the impact of mobile device hijacking is even more severe. Forensiq estimated the annual cost to advertisers — which are unwittingly paying for all these invisible ads to be served that are never actually seen by a real person — is at least $US857 million. It can be difficult for advertisers to know their ads are running on malware because the apps also spoof user behaviour and send back legit-looking data.
In the US alone, $US20 billion is expected to be spent on mobile in-app advertising in 2015, according to eMarketer, which means the money lost to in-app fraud could pass the $US1 billion mark by the end of the year.
Forensiq captured hundreds of hours of data from more than 12 million devices which had installed apps flagged for ad fraud. About 1% of devices Forensiq observed in the US, and between 2-3% in Europe and Asia, were running so-called “infected” apps.
Forensiq found that fraudulent apps generated traffic through most of the major ad exchanges and networks, establishing more than 1,100 connections per minute. Malicious script downloaded by some of the apps allowed them to simulate random clicks and loaded the advertiser’s landing page without the user’s knowledge.
Overall, Forensiq found 14.64% of the apps it tested were at high risk of this type of fraud. Here’s the breakdown by operating system:
What’s most surprising here is that Apple — which notoriously makes developers go through rigorous approval processes before it allows their apps to appear in the App Store — has a fraud risk that is nearly as high as that of Android.
Forensiq told Business Insider that while all the app stores are becoming ever more vigilant when it comes to protecting users and advertisers from in-app fraud, the fraudsters themselves have become increasingly sophisticated. Forensiq even hypothesized that fraudsters could even write a code into their apps that can observe when they are in test conditions — such as Test Pilot — and only deploy the ad fraud-committing scripts once the app has been approved.
Forensiq advises users to use common-sense when downloading apps to their phone: You probably shouldn’t give a shooting game permission to access the internet, for example. Alarm bells should start ringing if an app asks you for permission to prevent the device from sleeping, run at startup, or modify and delete content on the SD card. And if there’s an app on your phone that you don’t use, you’re best off uninstalling it.
Business Insider Emails & Alerts
Site highlights each day to your inbox.