Researchers at Oracle say sneaky piece of advertising software may be responsible for driving up millions of Android user’s mobile data usage and wasting their device’s battery life. The tech company claims the code is the heart of a massive fraud operation called “DrainerBot,” which works by quietly downloading gigabytes of video ads to a consumer’s smartphone and then “displaying” them, where they run in the background. The software affects hundreds of Android apps that have been downloaded collectively more than 10 million times, researchers say.
Because the invisible advertisements rely on the phone’s mobile data connection and processing power, the bot can lead to more than 10 GBs of extra data usage per month, Oracle said, exposing some cellphone users to possible data overage fees.
And consumers aren’t the only ones potentially harmed by the bot. Oracle points out, BrainerBot wastes marketers’ money by selling ads that users don’t see, and it tarnishes the app developers who were likely unaware of its existence.
Oracle’s researchers first stumbled across DrainerBot last summer, when network analysts flagged a suspicious spike in data traffic from some Android devices. Soon the company traced the bot’s code to a Dutch firm that specializes in combating app piracy. It is unclear whether the Dutch company, Tapcore, knew of the bot or if it was responsible for it. Tapcore’s main business aims to help app developers get paid, through advertising, when software pirates use their apps illegally. Tapcore didn’t respond to multiple requests for comment Wednesday morning.
Tapcore’s software is ordinarily integrated into other apps before they’re published, and only serves ads to users who acquired the apps illegitimately, according to its website. Downloading an app with Tapcore’s code in it from the Google Play Store, for example, is not supposed to trigger the advertising. (Google didn’t immediately respond to a request for comment.) Tapcore’s offer to advertisers does not appear to mention the ad bot.
But there is little reason to expect that app developers or app store operators would have detected DrainerBot during the normal development process, Oracle said.
After lying dormant for a period of time within an infected app, the infected software kit distributed by Tapcore was programmed to reach out to a server and download additional code that ultimately activated DrainerBot. Oracle said the intentional delay likely made it harder to detect the plot. Oracle said it was notifying the public of the ad fraud operation to protect the value of legitimate advertising.