Cybercriminals, Mobile Internet Companies Committing Ad Fraud On Android, iOS Users

Tracking web traffic was first employed to determine the popularity of websites but with the growth of internet and advent of mobile applications, traffic became a business within itself. This also gave rise to creating advertising fraud schemes that deceive users and redirect them to fake websites to steal their data and personal information.

It turns out that not just cybercriminals, but well-known businesses also have been using traffic to make illegitimate money. Kochava, an app analytics and attribution firm, discovered two companies — Cheetah Mobile, a Chinese company listed on New York Stock Exchange and Kika Tech, headquartered in Silicon Valley — have been illegally claiming apps' installation fee, or bounty, when they played no role in an app’s installation. The practice being employed by Cheetah and Kika is called as click flooding or click injection.

Many application developers pay a bounty — typically ranging from 50 cents to $3 — to companies or partners that can help drive new installations of their apps. Ad generators are usually paid when a user clicks on an ad created for an app, and then installs and opens it, leading to the app developer paying the ad network. App installation attribution — which ad led to the installation of an app on a specific phone — in such cases is hard to make accurately.

When the app is opened from the device that it is installed on, the app creates a lookback to see where the last click came from and attributes the installation. BuzzFeed News cited Kochava's research that found Cheetah and Kika (Cheetah is one of the biggest investors in Kika) using this attribution system to make sure they were awarded the last click.

Various apps by Cheetah and Kika, with a total of over 2 billion downloads on the Google Play store, have been abusing user permissions as part of this ad fraud scheme that could have stolen millions of dollars, BuzzFeed News reported Monday.

In another ad fraud scheme, a cybercriminal group called ScamClub hijacked over 300 million browser sessions — the time of communication between two systems, typically a personal computing device and a server — for over 48 hours to redirect users to adult websites and gift card scams. The criminals deployed malicious or malware laden advertisements into legitimate websites that redirected the users through various temporary websites that eventually ended up pushing adult-themed and gift card scams. This process employed by the criminals is called malvertising.

The malware-laden ads were created to look like ads for legitimate Android apps but were engineered to scam U.S.-based iOS users with an intention to collect their personal and financial data with these offers.

While malvertising has been plaguing the internet for many years now, this particular cybercriminal group’s hijack stood out because of the number of users’ browser sessions that were affected, ZDNet reported Tuesday, citing Jerome Dang, chief technology officer and cofounder of Confiant, a cybersecurity firm.

Confiant first discovered ScamClub's movements in August while it was already investigating the malvertising scam. 57 percent of Confiant’s customers were affected during the 48 hours when the malvertising was deployed by the cybercriminals. Dang said they discovered a “huge spike” Nov. 12 on their data collection system, when is when the hijack would have probably occurred.

"The difference is the volume. One of the reasons for the Nov. 12 spike is that they were able to access a very large ad exchange. Previously they only had access to lower reputation ad networks which limited their visibility on premium websites,” Dang told ZDNet.

Dang didn’t reveal the name of the ad exchange involved, but said the exchange had removed the malicious ad on Nov. 12. However, ScamClub still continued to hijack users' browser sessions since the criminals had already deployed a code inside the ads. This code allowed the malicious ads not to activate the malicious redirects when it was being analyzed, therefore, preventing many security vendors from flagging the domains (at the end of these redirection chains) as malicious.

"We've continued to see activity, to the scale of 300k hits per day, so the attacker is still active but back to its usual lower visibility ad networks. We expect they'll continue to be active for the foreseeable future,” Dang told ZDNet.