With more than half of all internet traffic coming from portable devices, it’s no surprise that hackers and fraudulent programmers are targeting mobile websites and apps. With many of these devices running processes in the background, for savvy fraudsters, it’s relatively simple to leverage this power to their advantage. DrainerBot, a mobile click fraud malware, is a prime example of this.
|Summary||Mobile app malware used to view and download videos|
DrainerBot was discovered in February 2019 by Oracle Software. A sophisticated mobile malware operation, DrainerBot was found to have been distributed to app developers in the form of code in a software development kit (SDK). Developers use SDK’s to help them build apps more easily, and with the malware code built into this foundation, this clever piece of coding allowed Drainerbot to proliferate.
In fact, thousands of apps on the Android app store had since been created using this SDK, with around 10 million downloads on devices across the world.
The name DrainerBot was chosen as the bot uses huge amounts of data and power, rapidly draining phone batteries and maxing out data allowances. It does this by viewing videos in the background on user devices.
Marketers are all too aware of ad fraud, where their ad spend can be siphoned off into the pockets of fraudsters in a variety of clever ways. Consumers are usually less concerned, as this is seen as something that doesn’t affect them. However, DrainerBot works to defraud marketers using ordinary people’s phones and tablets, zapping the battery and data allowances of Android devices.
DrainerBot is activated when a user downloads an affected app from the Google Play app store. Once the app is on the device, DrainerBot views and downloads video ads in the background, hugely slowing down devices and using up huge amounts of data.
The app then reports back to ad networks that a video has been viewed on a legitimate site, which results in a payout for the site owner. These sites may actually look like popular or well known websites, and even have a similar domain name. But in fact they are created for the sole purpose of making money for the webmaster by hosting videos and channelling this fake traffic through it.
The device user will likely never know that their phone is viewing a video ad in the background, but might notice that their battery is significantly worse or that their phone always seems to get hot. In fact, DrainerBot is known to use over 10GB of data per month, by viewing videos.
Some highlighted complaints from apps that were found to be running DrainerBot are:
- Drains battery from 100% to 5% in an hour
- Used 5GB of data in two weeks
Marketers might notice that they have lots of views and clicks on their video ads, most likely from YouTube. However, they will also notice that there are very little conversions as part of this boost in views. Cost per impression is a typical method for video ads to pay out, with video ads not just found on YouTube but embedded on other websites too. This ‘impression fraud’ is a growing form of digital ad fraud, using malware, although it’s not a new practice, with the most famous example being Methbot.
Who created DrainerBot?
Whoever created the code that is used to insert DrainerBot into thousands of apps is still not known to the general public. Although the software development kit was designed and distributed by TapCore, the company vehmentley denied any involvment with the DrainerBot program.
Based in the Netherlands and managed by mostly Russian staff (according to Linkedin), TapCore’s service is designed to help developers monetize pirated installations of their apps.
TapCore also started their own investigation to uncover who was behind the DrainerBot program. There seems to be no further mention of this investigation online, although I have reached out for information and will update this article when any details become available.
Which apps are affected by DrainerBot?
Most of the apps affected by DrainerBot were removed from the Google Play app store once it was discovered that they harboured the damaging code. However, it’s thought that as of 2020 there could be more apps available that still contain the DrainerBot code.
Apps known to have been affected by DrainerBot included:
- Touch and Beat – Cinema
- Draw Clash of Clans
- Solitaire: 4 Seasons (Full)
- Vertex Club
- Perfect 365
Most of these apps have been discontinued but some seem to be still running. It is entirely possible that they have been updated with the offending piece of code removed.
The case of DrainerBot highlights the ongoing developments in the world of ad fraud and click fraud. With the shutting down of the huge Methbot operation, DrainerBot was uncovered just a few years later. It’s unclear how long DrainerBot had been running for, but the constant evolution and revelations of new ad fraud bots shows just how hard it is to stay ahead of this technology.
How to protect PPC ads from bots
Despite the drop in spoofed websites, thanks to the ads.txt update, a significant slice of websites are still designed soley for bot traffic, known as ‘cash out sites’. In fact, in their 2018-19 Bot Baseline Report, Whiteops state that one of the biggest sources for ad fraud will come from app spoofing and hidden ads in apps.
Publishers can protect themselves from spoofed website traffic by using ads.txt to verify publishers and add your own site to a verified list. Those using video ads should also ensure that their ads are displayed using VAST4, which you can do from your Google Ads dashboard.
These measures can ensure you protect PPC ad campaigns from bot traffic and fraudulent practices. But ad fraud is an incredibly lucrative industry, estimated to make anything between $6 billion and $25 billion annually, with the technology adapting and evolving as fast as it is uncovered.
To stay ahead of the fraudsters, using anti-click fraud software is the best way to make sure your ads are seen by potential customers, not bots or click farms. Here at ClickCease we offer a free trial, so you can take a look at your ad traffic and see how much of it is from non-human sources.