Who pays the hackers?

What does the term “malware” bring to mind? Something that steals your information? Logs your keystrokes? Turns your device into a bot? How about malware that shows you ads?

AdWare is a type of malware designed to do exactly that. Whereas legitimate ad traffic is served inside an app or on a web page, AdWare displays ads inappropriately such as on the device lock screen, is aggressive about showing a high volume of ads, and uses device and software exploits to evade anti-malware and resist removal. The hacker participates in the ad network just like any other app developer and earns revenue from all the ad impressions and click-throughs. Even though these are coerced they appear to the ad network as legitimate traffic.

Because AdWare makes advertising less effective it seems to follow that ad fraud would be bad for the ad industry. But is it really? To answer that we need to consider who pays the hackers, and why.

First, this is not a small problem. The Verge reports that one specific AdWare campaign alone is responsible for 25 million infections. There are many different variants of AdWare and the segment is growing.That’s a LOT of fraudulent impressions.

‘Agent Smith’ malware has replaced Android apps’ code on 25 million devices

A newly discovered piece of Android malware that replaces portions of apps with its own code has infected more than 25 million devices, according to security firm Check Point. Check Point’s researchers named the malware “Agent Smith” because of the methods it uses to attack a device and avoid detection.


The malware doesn’t steal data from a user. Instead, it hacks apps and forces them to display more ads or takes credit for the ads they already display so that the malware’s operator can profit off the fraudulent views.

Consider also that ad fraud is sufficiently profitable that some otherwise legit ad networks adopt AdWare tactics. The team at Malware Bytes explains:

BatMobi is an Advertisement Software Development Kit (Ad SDK), which is essentially a software library that connects applications to ad networks. Developers insert Ad SDKs into their apps’ code to gain revenue through ads. Thus, they can offer their apps for free and still make money. Most variants of BatMobi were clean and safe to use — until recently.


In the past, we have seen ad companies clearly move from legitimate to serving adware, becoming overly aggressive with data collection and/or aggressively pushing ad content, as in the case above.

When the malwareware is discovered it is removed from the device or from the app store, depending on who finds it. With few exceptions, detection and removal is the only penalty the hackers face. The Agent Smith malware tracked back to a Chinese company safely outside the jurisdiction of the countries in which the fraud occurred. Of all the types of malware, AdWare has a great risk/effort/reward case.

AdWare significantly increases the volume of ads displayed by an infected device and that rising tide lifts all the boats in the ad delivery pipeline. There’s more inventory to sell. More money is extracted from advertisers and pumped into the ecosystem. The opacity of the ad delivery system assures that the reduced effectiveness of the ads is more than offset by increased revenue.

The hackers perform the dual roles of R&D arm and liability shield of the ad networks. The ad networks provide the porous pipeline and the plausible deniability from which the revenue opportunity arises. The result is a mutually profitable symbiosis woefully short on incentive for the ad networks to detect and reject the fraud traffic.

Back in the early ’90s I worked at Equifax and we were able to detect check fraud with such accuracy that we didn’t need to recover on bad checks to turn a profit on the check guarantee service. My recent consulting clients are large US credit card issuers and all of them have amazingly accurate card fraud detection. Something as simple as per-device revenue capping would take a huge chunk out of ad fraud revenue and technology adapted from the card payments industry could be even more effective.

Of course, banks bear the full cost of card fraud so they have a financial incentive to prevent it and the savings offset the development costs. Ad fraud is passed to advertisers. If they notice that their campaigns are not as effective as promised, they are encouraged to tweak and re-run their campaigns. The incentive that ad fraud presents to the ad network, whose sellable inventory and revenue are increased by ad fraud, is for them to simply look the other way.

This isn’t a system that’s become corrupt so much as it is corruption that’s been organized into a well-tuned system. It’s time we called B.S. on surveillance advertising and real-time bidding networks.

Hat tips to independent ad fraud researcher Dr. Augustine Fou and Katherine Warman Kern of Comradity for feedback on my early draft.

WebSphere MQ security guy! My Tweets/views are my own. Also blogging at http://ask-an-aspie.net and http://tdotrob.wordpress.com