Ad safety company Pixalate has uncovered what it says is a ‘sophisticated’ mobile app fraud potentially costing advertisers up to $75 million a year if allowed to run unchecked.
The company says it discovered that Android app MegaCast — which allows users to broadcast content to Google’s Chromecast — was using ‘mobile app laundering’ to generate fraudulent ad impressions.
MegaCast is developed by a company called Messamta which, according to Whois.com, registered its domain in Russia although the phone number seems to be Bulgarian. The postcode of 111111 does not inspire confidence.
- Upcoming: Which-50 will feature a Cover Story on ad fraud next week
According to Pixalate, if a mobile device were left on for 24 hours, MegaCast was serving around 1400 impressions a day — around one ad per minute — 60 per cent of which were display at $US0.58 CPM, and 40 per cent video costing $US4.64 CPM.
The ads were being served up even if the app was not open, or the phone was locked.
“As soon as the phone turns on (even before it is unlocked) the MegaCast app appears to begin transacting ads in the background,” Pixalate wrote on its web site.
MegaCast has been downloaded more than a million times, has more than 15,000 reviews and an average user rating of four stars, according to the Google Play Store. However, Shailin Dhar, founder, director and researcher at Method Media Intelligence, says those can also be manufactured at will to lend legitimacy and reduce suspicion.
“It gives them the scope to send as many ad requests as they want,” he tells Which-50.
He says the mobile ad fraud being perpetrated is similar to the malware and viruses slowing down PCs during the late 1990s and early 2000s.
“People would get fed up with their PCs because they would get very slow over time, [and it happened] because people used to download a bunch of bulls*** software that was filled with viruses,” he says. “That’s how botnets were created initially. People would download a piece of screensaver software that would eat up CPU power and processing capacity because it would run invisible browsers in the background.”
The same thing is now occurring in the mobile space. In the case of MegaCast, anyone can easily broadcast to Chromecast without the need for downloading a separate app.
“[Ad fraud initiatives like this] rely on clueless people downloading apps like flashlights or QR code readers, as well as the apps sending a bunch of ad requests where seemingly legitimate or harmless ads come up in the domain reports on the buyer side,” he says.
The security researcher describes it as a snowflake-in-an-avalanche type of problem where each individual buyer may only see 15,000 clicks, but across the market it adds up to tens of millions.
“With QR code readers or flashlight apps, it’s really insane to have 50 million ads a day. Just the concept of people trying to use a flashlight, in the dark, and then 50 million people clicking on an ad they found interesting while using the flashlight? It just doesn’t make any logical sense.”
Dhar says there is not a lot of scrutiny over ad fraud in the Google Play Store.
“The malicious activity they’re looking for is if an app is injecting something onto the user’s machine, like a keylogger that waits to receive information,” he says. “That would be detected. But MegaCast is only sending requests out to ad exchanges so it wouldn’t catch the same red flags.
“The only people that can specifically do anything about this is Apple and Google. They control all the pipes. But there should also be some basic common sense applied by buyers.”
We provided Megacast’s developer with an opportunity to comment. It has not done so.
This post was last modified on June 18, 2018, 5:23 pm