Revealed: The apps that secretly run ads that no one sees, and that slow down your phone
There may be much more advertising in apps than it seems. Thousands of mobile applications are secretly running ads that can’t be seen by users, defrauding marketers and slowing down smartphones, according to a new report by Forensiq, a firm that tracks fraud in online advertising.
Over the course of the 10-day study, one per cent of all devices observed in the US ran at least one app committing this kind of fraud; in Europe and Asia, two to three per cent of devices encountered fake ads. Forensiq identified over 5,000 apps that display unseen ads on both Apple and Android devices. Advertisers are paying about US$850 million for these ads each year, according to the report, and the apps with the highest rate of ad fraud can burn through 2 gigabytes of data per day on a single device.
The sheer amount of activity generated by app with fake ads was what initially exposed the scam. Forensiq noticed that some apps were calling up ads at such a high frequency that the intended audience couldn’t possibly be actual humans. The apps, said Forensiq, were hitting these numbers by showing as many as five ads in the background for every ad visible to users. Some apps continued to scroll through ads even after the app had been closed.
Unlike many other types of malicious software, the apps also serve a legitimate purpose. Many of them are simple games or utilities, and they seem to have real users.
“It’s not Angry Birds or Candy Crush, but these are apps that people play and enjoy and some real effort went into developing,” said David Sendroff, Forensiq’s founder and chief executive.
Forensiq’s report doesn’t actually name any of the apps, but the firm revealed several of the suspicious apps to me. One of them was a breastfeeding app for Apple devices published by American Baby magazine and app developer Sevenlogics; the invisible ads tout Olive Garden, Amazon, and IBM. The newest version of the app has an average rating of 4 stars. One review, posted by someone describing herself as “Annoyed and Frustrated Mommy,” expressed mixed feelings about the product. While it was a “livesaver” for a new mom, she found that “after a few months the freezes, restarts, and crashes became more frequent and persistent. I also noticed the pop up ads became more tricky to avoid accidentally clicking on, and now I swear my phone takes me straight to the App Store when I haven’t even touched the screen after the pop up appears. Unfortunately it’s too late for me to switch apps because all my info is wrapped up in this one.”
Complaints about crashing and slowness are also common on reviews for a series of silly games for Android devices with names like Waxing Eyebrows, Celebrity Baby, and Vampire Doctor, all published by the developer Girls Games Only. Forensiq’s video shows these also running code that produces a steady stream of unseen advertisements from companies like Microsoft, Coca-Cola, and Mercedes Benz. The performance issues are almost certainly caused by the extra load resulting from the apps’ secondary functions, said Forensiq.
Attempts to contact five companies whose apps Forensiq flagged went without response.
Surreptitiously running advertisements is a violation of the rules governing all apps available in Apple and Android stores. But its tricky to identify what’s happening. The best way, said Sendroff, would be to monitor bandwidth usage over time—something Google and Apple might not have the ability to do. Apple declined to comment for this story, and Google didn’t respond to an interview request.
The main limiting factor for this particular flavour of ad fraud may be economic. The average ad rates for mobile ads on the apps in the Forensiq report hovered around US$1 per thousand views. People intent on making a living through a scam on mobile devices probably have more lucrative options.
Lookout, a security firm focused on mobile threats, said that most of the growth in mobile malware in the US is coming from so-called ransomware, where criminals commandeer a phone and then demand money to unlock it.
“Why am I going to do ad monetisation when I can have something pop up and say I’m not going to unlock your device unless you give me US$200,” said Michael Bentley, Lookout’s head of research and response.
“The payoff per phone is just so low.”
That said, the risk in ad fraud is also much lower. Fraud is endemic in the online advertising world, and the victims —the brands paying for the ads—often lose track of where their ads end up once they are traded through several automated layers of middlemen. If even the victims of a crime are unaware it’s going on, there’s probably less of a chance of anyone getting caught.