NEW CARDING CHAT IN TELEGRAM

DrainerBot botnet

Man

Professional
Messages
2,828
Reputation
5
Reaction score
447
Points
83
10 million downloads — that’s how many times in 2019 users managed to download mobile apps from Google Play infected with the DrainerBot malware. The botnet was downloaded along with popular apps, launched them in the background, downloaded up to 10 GB of advertising videos, “ate up” traffic and “drained” the battery of the mobile device.

Smartphone owners might not notice such a neighbor for years. However, cybersecurity experts managed to detect it and sound the alarm.

NameDrainerBot
StatusSemi-active
DescriptionMobile app malware used to commit ad fraud by generating fake impressions. It affects mobile devices and runs in the background.

Contents
1. What is DrainerBot
2. Operating principle
3. How the botnet was exposed
4. Applications infected with DrainerBot
5. How to protect contextual advertising from bots

What is DrainerBot​

DrainerBot is a fraudulent software designed to generate fake views of mobile ads. The botnet is designed specifically for Android devices, which is why it infected applications in the Google Play store.

The name of the malware was not chosen by chance: drainer literally translates from English as “dryer; dehydrator”, since due to the processing of huge amounts of data it quickly discharges the device’s battery.

The developer is unknown. However, cybersecurity experts managed to contact the developers of the software development kit, TapCore, but it denies any involvement in the botnet. TapCore also began its own investigation, but unfortunately, the course of further actions is unknown.

Operating principle​

DrainerBot is activated as soon as a user downloads an infected app from the Google Play store. However, the apps themselves do not initially contain it - the botnet is downloaded along with the update.

The DrainerBot malware forced the mobile device to follow fraudulent links in the background and “watch” videos.

Advertisers received a report allegedly stating that their ads were being viewed on the resources of honest publishers. The advertising network took into account the views and paid out a reward.

The fraudsters' websites duplicated real popular and traffic resources, and were also hosted on similar domain names. The websites were created solely for the purpose of performing fraudulent operations.

Users often might not even know that their device was participating in the process of deceiving advertisers and secretly viewing ads. However, the following were clear markers of the strange behavior of smartphones:
  • extremely high battery discharge rate - from 100% to 5% in an hour;
  • Rapid consumption of mobile traffic - 5 GB of data in two weeks.
As for advertisers, the picture for them was as follows:
  • a huge number of views and clicks;
  • practically zero conversion.

More than half of all Internet traffic comes from mobile devices. So it is not surprising that hackers and fraudsters have targeted applications. It was the background mode, if not forcibly disabled in the settings, that allowed the DrainerBot botnet to engage in click fraud.

How the Botnet Was Exposed​

The malware was discovered in February 2019 by Oracle Data Cloud, a marketing analytics agency, following the acquisition of Moat and Dyn.

“DrainerBot is one of the first major ad fraud operations to cause clear and direct financial harm to consumers,” said Eric Rosa, senior vice president and general manager of Oracle Data Cloud. “Apps infected with it can cost users hundreds of dollars in overage fees. We look forward to working with companies in the digital advertising ecosystem to identify, expose, and prevent this and other emerging types of click fraud.”

Applications infected with DrainerBot​

According to Oracle Data Cloud specialists, this botnet infected hundreds of popular applications downloaded by Android users about 10 million times.

Once the scam was discovered, most of the apps containing the botnet's malicious code were removed from the Google Play Store. However, experts believed that a year later, in 2020, the malware could still be present in many apps.

Here are those who fell victim to scammers and spread the virus to users' devices:
  • Touch and Beat – Cinema
  • Draw heroes from Clash of Clans
  • Solitaire: 4 Seasons (Full)
  • "Vertex Club"
  • Perfect365

Most of the listed applications have been discontinued, but some of them still work. It is quite possible that the developers quickly updated them and removed the embedded malicious code fragment.

The DrainerBot case is a prime example from the world of ad fraud. DrainerBot was discovered just a few years after the massive Methbot operation ended . It’s unclear how long the botnet has been in operation, but the constant evolution and emergence of new click fraud bots shows how difficult it is to stay ahead of this technology.

How to protect contextual advertising from bots​

Thanks to Google's new ads.txt technology, which significantly reduces the number of fraudulent sites, there are still resources in the GDN that are designed exclusively to generate bot traffic. Due to the actions of botnets, there was a huge surge in digital fraud several years ago, for which attackers used application substitution technology and hidden ad display in applications.

Click fraud is an incredibly lucrative industry, estimated to bring in between $6 billion and $25 billion a year. Cybersecurity experts are discovering fraudulent methods and developing ways to combat them, but fraudsters are also adapting and evolving their techniques.

To stay ahead of scammers and prevent them from wasting your advertising budget, use not only your traffic analysis capabilities, but also special services to protect against click fraud.
 
Top