- A new BuzzFeed exposé reveals a multimillion-dollar Android fraud scheme involving Android apps.
- The scheme involved mimicking actual user behavior using bots — bots which could have been based off you.
- Aside from defrauding advertisers and stealing their money, the fraudsters also illegally tracked Android app users.
You might think BuzzFeed is simply a site filled with tests to figure out your Patronus or which Power Ranger you’re most likely to be. However, BuzzFeed frequently dishes out some amazing investigative journalism, and yesterday it dropped a bombshell report.
According to the exposé, a team of criminal hackers employed a complicated — but ingenious — system to defraud online advertisers out of millions. The scam involved several prominent Android apps available on the Google Play Store, some with tens-of-millions of downloads.
The BuzzFeed article goes over in detail how everything came to be, and clocks in at over 6,000 words. If you want to know about the fraud in-depth, you should definitely read the incredibly interesting piece, but we’ll give you the shortened version of it here.
The fraud worked like this:
- Fraudsters would contact owners of popular, highly-rated apps on the Google Play Store. The fraudsters would offer to buy the app from the owner(s) using Bitcoin — in some cases paying more than the owners expect the app is worth.
- Now the owners of an app with a positive reputation, the fraudsters would closely monitor and track the app’s users as they navigate through the application. This could have been you.
- Using the illegally-tracked user data, the fraudsters then created bots which mimicked the human behavior exactly. Once again, one of those bots could have been based on your own behavior.
- Armed with these human-esque bots, the fraudsters set the bots to work opening the app, navigating around, and — most importantly — “viewing” ads.
- Since the bots are mixed in with actual human users (remember, the app is still on the Play Store, still popular, and still maintained), Google’s bot-detection protocols don’t see the illegal activity.
- Now that these bots are “viewing” ads repeatedly, undetected, the fraudsters watch the money roll right in.
- Once situated, the fraudsters repeat the whole process by buying another app with a good reputation.
BuzzFeed provides a Google Sheets document which lists out the 129 apps, websites, and their associated companies connected to the scheme. However, here are some of the highlights (some of which are still on the Play Store):
- Smart Voice Assistant
- Selfie Expert Plus/Pro
- Emoji Switcher
- FlashLight F.Light
- Gluten Free Food Finder
- Lazy Alarm
- Pixel Icon Pack 2
- Restaurant Finder
Although Google does make a few statements within the BuzzFeed piece, it appears the search giant was unaware of the fraud scheme before BuzzFeed contacted the company. The article also makes it seem that Google’s systems to monitor already-approved and popular apps is not as effective as one might assume.
Click the button below to read the full exposé.