10 million downloads — that’s how many times in 2019 users managed to download mobile apps from Google Play infected with the DrainerBot malware. The botnet was downloaded along with popular apps, launched them in the background, downloaded up to 10 GB of advertising videos, “ate up” traffic and “drained” the battery of the mobile device.
Smartphone owners might not notice such a neighbor for years. However, cybersecurity experts managed to detect it and sound the alarm.
Contents
1. What is DrainerBot
2. Operating principle
3. How the botnet was exposed
4. Applications infected with DrainerBot
5. How to protect contextual advertising from bots
The name of the malware was not chosen by chance: drainer literally translates from English as “dryer; dehydrator”, since due to the processing of huge amounts of data it quickly discharges the device’s battery.
The developer is unknown. However, cybersecurity experts managed to contact the developers of the software development kit, TapCore, but it denies any involvement in the botnet. TapCore also began its own investigation, but unfortunately, the course of further actions is unknown.
The DrainerBot malware forced the mobile device to follow fraudulent links in the background and “watch” videos.
Advertisers received a report allegedly stating that their ads were being viewed on the resources of honest publishers. The advertising network took into account the views and paid out a reward.
The fraudsters' websites duplicated real popular and traffic resources, and were also hosted on similar domain names. The websites were created solely for the purpose of performing fraudulent operations.
Users often might not even know that their device was participating in the process of deceiving advertisers and secretly viewing ads. However, the following were clear markers of the strange behavior of smartphones:
More than half of all Internet traffic comes from mobile devices. So it is not surprising that hackers and fraudsters have targeted applications. It was the background mode, if not forcibly disabled in the settings, that allowed the DrainerBot botnet to engage in click fraud.
Once the scam was discovered, most of the apps containing the botnet's malicious code were removed from the Google Play Store. However, experts believed that a year later, in 2020, the malware could still be present in many apps.
Here are those who fell victim to scammers and spread the virus to users' devices:
Most of the listed applications have been discontinued, but some of them still work. It is quite possible that the developers quickly updated them and removed the embedded malicious code fragment.
The DrainerBot case is a prime example from the world of ad fraud. DrainerBot was discovered just a few years after the massive Methbot operation ended . It’s unclear how long the botnet has been in operation, but the constant evolution and emergence of new click fraud bots shows how difficult it is to stay ahead of this technology.
To stay ahead of scammers and prevent them from wasting your advertising budget, use not only your traffic analysis capabilities, but also special services to protect against click fraud.
Smartphone owners might not notice such a neighbor for years. However, cybersecurity experts managed to detect it and sound the alarm.
| Name | DrainerBot |
| Status | Semi-active |
| Description | Mobile app malware used to commit ad fraud by generating fake impressions. It affects mobile devices and runs in the background. |
Contents
1. What is DrainerBot
2. Operating principle
3. How the botnet was exposed
4. Applications infected with DrainerBot
5. How to protect contextual advertising from bots
What is DrainerBot
DrainerBot is a fraudulent software designed to generate fake views of mobile ads. The botnet is designed specifically for Android devices, which is why it infected applications in the Google Play store.The name of the malware was not chosen by chance: drainer literally translates from English as “dryer; dehydrator”, since due to the processing of huge amounts of data it quickly discharges the device’s battery.
The developer is unknown. However, cybersecurity experts managed to contact the developers of the software development kit, TapCore, but it denies any involvement in the botnet. TapCore also began its own investigation, but unfortunately, the course of further actions is unknown.
Operating principle
DrainerBot is activated as soon as a user downloads an infected app from the Google Play store. However, the apps themselves do not initially contain it - the botnet is downloaded along with the update.The DrainerBot malware forced the mobile device to follow fraudulent links in the background and “watch” videos.
Advertisers received a report allegedly stating that their ads were being viewed on the resources of honest publishers. The advertising network took into account the views and paid out a reward.
The fraudsters' websites duplicated real popular and traffic resources, and were also hosted on similar domain names. The websites were created solely for the purpose of performing fraudulent operations.
Users often might not even know that their device was participating in the process of deceiving advertisers and secretly viewing ads. However, the following were clear markers of the strange behavior of smartphones:
- extremely high battery discharge rate - from 100% to 5% in an hour;
- Rapid consumption of mobile traffic - 5 GB of data in two weeks.
- a huge number of views and clicks;
- practically zero conversion.
More than half of all Internet traffic comes from mobile devices. So it is not surprising that hackers and fraudsters have targeted applications. It was the background mode, if not forcibly disabled in the settings, that allowed the DrainerBot botnet to engage in click fraud.
How the Botnet Was Exposed
The malware was discovered in February 2019 by Oracle Data Cloud, a marketing analytics agency, following the acquisition of Moat and Dyn.Applications infected with DrainerBot
According to Oracle Data Cloud specialists, this botnet infected hundreds of popular applications downloaded by Android users about 10 million times.Once the scam was discovered, most of the apps containing the botnet's malicious code were removed from the Google Play Store. However, experts believed that a year later, in 2020, the malware could still be present in many apps.
Here are those who fell victim to scammers and spread the virus to users' devices:
- Touch and Beat – Cinema
- Draw heroes from Clash of Clans
- Solitaire: 4 Seasons (Full)
- "Vertex Club"
- Perfect365
Most of the listed applications have been discontinued, but some of them still work. It is quite possible that the developers quickly updated them and removed the embedded malicious code fragment.
The DrainerBot case is a prime example from the world of ad fraud. DrainerBot was discovered just a few years after the massive Methbot operation ended . It’s unclear how long the botnet has been in operation, but the constant evolution and emergence of new click fraud bots shows how difficult it is to stay ahead of this technology.
How to protect contextual advertising from bots
Thanks to Google's new ads.txt technology, which significantly reduces the number of fraudulent sites, there are still resources in the GDN that are designed exclusively to generate bot traffic. Due to the actions of botnets, there was a huge surge in digital fraud several years ago, for which attackers used application substitution technology and hidden ad display in applications.To stay ahead of scammers and prevent them from wasting your advertising budget, use not only your traffic analysis capabilities, but also special services to protect against click fraud.
