Human Security researchers have discovered a massive botnet campaign targeting Android devices to conduct fraud in the connected TV advertising ecosystem. Described as one of “the most sophisticated” fraud campaigns of its kind, the attacks started back in at least 2019 and were described on Wednesday by researchers at Human Security, a cybersecurity company formerly known as White Ops.
Dubbed Pareto, the sophisticated mobile botnet used nearly a million mobile Android devices to show ads.
Researchers found 29 Android apps, most of them found on the Play Market, that used compromised Android devices as smart TVs in order to serve 650 million ad requests a day.
In this scheme, they fooled ad providers, who paid for ads, into believing the ad views were real but in reality, no one ever saw them. Researchers found additional 36 apps on the streaming TV platform Roku that were part of the scam.
The apps appeared benign on the surface but contained a software development kit that generated fake ad views.
Human Security said the botnet impersonated or spoofed more than 6,000 CTV apps, including those by Fire OS, tvOS, Roku OS, and other prominent CTV platforms.
Human Security said its Satori Threat Intelligence and Research Team first discovered the mobile botnet in 2020 and since then, has been working with Google, Roku, and others to mitigate the threat and disrupt the fraud operation.
Human Security researchers found that the botnet took advantage of the pandemic and shift to the cloud spurred by it.
“This particular approach is lucrative for fraudsters, as pricing for ads on connected TVs is often substantially higher than pricing on mobile devices or on the web,” the company said.
The security company said the Pareto operators have been “incredibly sophisticated and evasive over the last year,” changing their methods and coming up with new ways to disguise fake traffic.
Regarding the operation on Roku, Human Security researchers said:
“We found a collection of 36 apps on Roku’s Channel Store that received instructions from the same server that was operating nodes in the Pareto botnet.”
“That server, called a command-and-control (C2) server, sends instructions out to all of the phones that have been infected, and those phones then carry out the activity. These Roku apps, in a similar fashion to the Android-based Pareto apps, were spoofing other smart TV and consumer streaming products,” according to Human Security’s report.
The company said the infected apps have now been removed from the official marketplaces. Human Security has provided information about “key figures” in the fraud team to law enforcement.