Cybersecurity researchers uncovered a massive botnet during the 2020 pandemic that had infected about a million Android devices at the time. Instead of carrying out DDoS attacks as expected from a botnet, the Pareto malware was designed to carry out ad fraud operations on CTV devices, the experts found.
Contents
1. Description
2. Operating principle
3. Removing malicious applications
The choice of target in this case was not random, as advertising prices in the CTV sector are significantly higher than similar products on mobile devices or the Internet. Malicious applications impersonated streaming services running on several of the most well-known CTV platforms, such as Roku Os, Fire OS, tvOS, and others.
The Pareto botnet's C&C and C2 servers were also involved in another identical scam campaign targeting the Roku streaming service. 36 apps in the Roku Channel Store were receiving instructions from the C2 server. They acted similarly to the Android Pareto apps, which also impersonated smart TVs and consumer streaming products.
In total, the Satori team found 29 Android apps that were used by the botnet. The malware forced devices to follow links that were specified by the operator in the TopTopSDK file. This set was primarily intended to perform fake ad views on CTV devices.
The Pareto botnet and its actions were controlled by a C2 server called JSON Server, which checks for new commands every 30 seconds. The URL differed from application to application, but the C2 root directory was the same for all of them.
The apps in the Roku Channel Store, 36 in total, connected to the same C2 server and received instructions that would then generate fake ad impressions on different users' streaming devices.
The Pareto botnet, whose creators made money on CTV advertising, was discovered a year after the attacks began and blocked thanks to the coordinated work of blocking services, advertising platforms, media agencies and digital platform operators. Specialists from Omnicom Media Group, Trade Desk, Magnite, Google and Roku, together with the digital security agency Human, participated in catching this botnet.
| Name | Pareto |
| Status | Deactivated (presumably) |
| Description | Malware used to generate fake ad views in the CTV sector. Infects devices via Android mobile apps. |
Contents
1. Description
2. Operating principle
3. Removing malicious applications
Description
The Pareto botnet used dozens of compromised Android mobile apps to impersonate 6,000 CTV services, generating 650 million fake ad views per day.The choice of target in this case was not random, as advertising prices in the CTV sector are significantly higher than similar products on mobile devices or the Internet. Malicious applications impersonated streaming services running on several of the most well-known CTV platforms, such as Roku Os, Fire OS, tvOS, and others.
The Pareto botnet's C&C and C2 servers were also involved in another identical scam campaign targeting the Roku streaming service. 36 apps in the Roku Channel Store were receiving instructions from the C2 server. They acted similarly to the Android Pareto apps, which also impersonated smart TVs and consumer streaming products.
Operating principle
The Satori team discovered a set of Android devices that were posing as CTV devices using common user agents associated with real consumer streaming services. Upon closer inspection, the HUMAN reverse engineering team discovered the app that ultimately led them to a large-scale ad fraud operation using a proprietary SDK.In total, the Satori team found 29 Android apps that were used by the botnet. The malware forced devices to follow links that were specified by the operator in the TopTopSDK file. This set was primarily intended to perform fake ad views on CTV devices.
The Pareto botnet and its actions were controlled by a C2 server called JSON Server, which checks for new commands every 30 seconds. The URL differed from application to application, but the C2 root directory was the same for all of them.
The apps in the Roku Channel Store, 36 in total, connected to the same C2 server and received instructions that would then generate fake ad impressions on different users' streaming devices.
Removing Malicious Applications
The CTV sector allows streaming services to provide viewers with engaging content and advertisers to place targeted ads to their audiences. That is why it is important that within this ecosystem, CTV products and companies work together to protect content from any fraud, detect it, block and remove it as soon as possible.The Pareto botnet, whose creators made money on CTV advertising, was discovered a year after the attacks began and blocked thanks to the coordinated work of blocking services, advertising platforms, media agencies and digital platform operators. Specialists from Omnicom Media Group, Trade Desk, Magnite, Google and Roku, together with the digital security agency Human, participated in catching this botnet.
