How Ad Fraudsters Are Thriving During the Covid-19 Crisis

Brands have started to share intelligence about suspicious data and traffic

Two different anti-fraud reports found problems in both the Google and Apple app stores in recent months. - Credit by Getty Images
Headshot of Rachel Winicov

Despite unprecedented efforts from the ad industry and law enforcement, fraud continues to blight the sector. 

It’s an issue that cost advertisers $42 billion in 2019, according to analytics firm Juniper Research, and continues to challenge even the most seasoned security professionals, with app stores a notable point of vulnerability in the ecosystem. 

That’s the conclusion of separate reports released this week, with experts also claiming the economic chaos spurred by the novel coronavirus is serving as further cover for fraudsters. 

Security firm White Ops uncovered a fraud scheme dubbed Terracotta that targeted the Google Play store. While it’s undetermined how much Terracotta cost advertisers, previously, White Ops reported a botnet scheme that reportedly stole between $3 million and $5 million a day.

The scam worked by promising free shoes to users who downloaded certain apps through Google Play. In reality, some 5,000 apps were spoofed with malware, installing a modified browser that generated fake ad clicks. The malware disguised itself as other popular Android apps to fool advertisers, as some of the app developers did not have sufficient ads.txt cover.  

White Ops investigated the attack along with Google, claiming it triggered up to 2.4 billion fake bid requests with 65,000 Android phones infected. 

The scam resembles the notorious 2018 3ve case, in which foreign nationals operated a botnet that infected over a million devices, downloading fake browsers onto users’ PCs to imitate ad traffic, a scam that warranted investigation by the FBI and a subsequent legal case.

Joe Tallet, manager of detection and data intel at White Ops, said his team identified a series of unusual traffic patterns over the course of six to nine months, singled out the sources of those disruptions and then ultimately delisted those apps from the Play store. 

Meanwhile, a separate study this week by programmatic insights platform Pixalate also identified app stores as a point of vulnerability, claiming Google delisted 500,000 Android apps, which accounted for over 14 billion downloads, in the first half of 2020, while Apple delisted 300,000 apps during the same period.


White Ops worked with Google to remove the offending apps on Play Store, and in order to expedite the process of detecting threats, Google participates along with several other firms as part of trade organization Trustworthy Accountability Group’s (TAG) Threat Exchange.

Launched in 2018, the Threat Exchange serves as an intelligence-sharing community for companies across the ad-tech industry. The exchange has grown in members recently, although TAG declined to provide a specific number or list of members. Due to increased demand for its intelligence network, TAG hired cybersecurity expert Danielle Meah as director of threat intelligence earlier this month.

“We’re seeing real impact from [intelligence] sharing now: reducing the time-to-life for a lot of the attacks that are being shared, one-to-one impact ratio for the industry,” Meah said.

Mike Zaneis, CEO of TAG, added, “They can get this data point, maybe a seat ID on a buying platform [such as an ad exchange] that is distributing malware, and they can go look for that same activity.” He compared the exchange to the difference between poking around in the dark with a flashlight versus shining a large spotlight. 

Both the ramped-up Threat Exchange and the Terracotta attack come as the ad-tech industry explores its rampant fraud problem, from connected TV to the supply-chain itself

Experts told Adweek that turbulence from Covid-19 has contributed to increased fraud this year. Tallet added that unrelated to the pandemic, unsophisticated fraud has “never been easier.” Bad actors can simply “set up automation software—which you can deploy to as many servers in the cloud as you want—to pretend to be Google Chrome, clicking ads and pretending to be a human.”

Rachel Winicov is an intern with Adweek for the summer of 2020 focusing on digital media, ad tech and social media. She is a rising senior at the University of Pennsylvania, where she studies classics. Rachel is from Philadelphia, Pa.