The software affects hundreds of Android apps that have been downloaded collectively more than 10 million times, the researchers said.
Because the invisible advertisements rely on the phone’s mobile data connection and processing power, the bot can lead to more than 10 GBs of extra data usage per month, Oracle said, exposing some cellphone users to possible data overage fees.
Consumers aren’t the only ones potentially harmed by the bot, said Eric Roza, senior vice president at Oracle. The bot wastes marketers’ money by selling ads that nobody sees, and it tarnishes the app developers who were probably unaware of its existence, he said.
“This is a crime with three layers of victims,” he said in an interview. “I hadn’t seen anything like this before."
Oracle’s researchers first stumbled across DrainerBot last summer, when network analysts flagged a suspicious spike in data traffic from some Android devices. Soon the company traced the bot’s code to a Dutch firm that specializes in combating app piracy.
The Dutch company, Tapcore, released a statement Wednesday saying it had no involvement in the scheme. Tapcore’s main business aims to help app developers get paid, through advertising, when software pirates use their apps illegally.
“Tapcore strongly denies any intentional involvement in this supposed ad fraud scheme and are extremely surprised by the Oracle findings. We’ve already launched a full scale internal investigation to get to the bottom of it and will be providing updates as they become available.”
Tapcore’s software is ordinarily integrated into other apps before they’re published, and only serves ads to users who acquired the apps illegitimately, according to its website. Downloading an app with Tapcore’s code in it from the Google Play Store, for example, is not supposed to trigger the advertising. Tapcore’s offer to advertisers does not appear to mention the ad bot.
In a statement Wednesday, Google said it has blacklisted all of the infected apps identified by Oracle and is investigating the two remaining apps cited by Oracle that were still active on the Google Play Store. The other apps on Oracle’s list either never appeared on Google’s app store or were removed previously for other reasons.
“Google Play Developer policies prohibit deceptive and malicious behavior on our platform. If an app violates our policies, we take action,” Google said.
There is little reason to expect that app developers or app store operators would have detected DrainerBot during the normal development process, Oracle said.
After lying dormant for a period of time within an infected app, the infected software kit distributed by Tapcore was programmed to reach out to a server and download additional code that ultimately activated DrainerBot. Oracle said the intentional delay probably made it harder to detect the plot. Oracle said it was notifying the public of the ad fraud operation to protect the value of legitimate advertising.
Ad industry groups are expected to brief marketers on DrainerBot later this week.
“We are delighted to work with Oracle to educate and inform TAG’s membership about this emerging threat,” said Mike Zaneis, chief executive of the Trustworthy Accountability Group, which is led by companies such as Disney, Google and Facebook.
A list of affected apps and instructions for deleting them can be found on the website of Oracle’s advertising analytics subsidiary, Moat.