Google acknowledges Android fraud that was stealing millions in fake ad revenue, has removed those apps and blacklisted sites


Owing to the new aspects of an ad fraud operation across apps and websites that were monetizing with numerous ad platforms, Google in the past week removed apps involved in the ad fraud scheme, so they can no longer monetize with Google.

It also blacklisted additional apps and websites that are outside of its ad network, to ensure that advertisers using Display & Video 360 do not buy any of this traffic. Google says that it is continuing to monitor this operation and will continue to take action if it finds any additional invalid traffic. Google estimates that the dollar value impacted how much advertiser spends across the apps and websites involved in the operation and is under $10 million.

The majority of impacted advertiser spend was from invalid traffic on inventory from non-Google, third-party ad networks. Google deploys comprehensive, state-of-the-art systems and procedures to combat ad fraud. The company’s engineering and operations teams, across various organizations, are also taking systemic action to disrupt this threat, including the take down of command and control infrastructure that powers the associated botnet.

In addition, Google has shared relevant technical information with trusted partners across the ecosystem, so that they can also harden their defenses and minimize the impact of this threat throughout the industry. The web-based traffic is generated by a botnet that Google and others have been tracking, known as “TechSnab.”

The TechSnab botnet is a small to medium-sized botnet that has existed for a few years. The number of active infections associated with TechSnab was reduced significantly after the Google Chrome Cleanup tool began prompting users to uninstall the malware. Much like the other botnets, this operates by creating hidden browser windows that visit web pages to inflate ad revenue. The malware contains common IP based cloaking, data obfuscation, and anti-analysis defenses.

This botnet drove traffic to a ring of websites created specifically for this operation and monetized with Google and many third-party ad exchanges.  Based on analysis of historical ads.txt crawl data, inventory from these websites was widely available throughout the advertising ecosystem, and as many as 150 exchanges, supply-side platforms (SSPs) or networks may have sold this inventory. The botnet operators had hundreds of accounts across 88 different exchanges (based on accounts listed with “DIRECT” status in their ads.txt files).

This fraud primarily impacted mobile apps. The traffic from these apps seems to be a blend of organic user traffic and artificially inflated ad traffic, including traffic based on hidden ads.