Thousands of Apps Secretly Run Ads That Users Can't See

Advertisers lose over $850 million per year to invisible fraud within mobile apps

The Apps World Multi-Platform Developer Show in London.

The Apps World Multi-Platform Developer Show in London.

Photographer: Chris Ratcliffe/Bloomberg

There may be much more advertising in apps than it seems. Thousands of mobile applications are secretly running ads that can't be seen by users, defrauding marketers and slowing down smartphones, according to a new report by Forensiq, a firm that tracks fraud in online advertising.

Over the course of the 10-day study, one percent of all devices observed in the U.S. ran at least one app committing this kind of fraud; in Europe and Asia, two to three percent of devices encountered fake ads. Forensiq identified over 5,000 apps that display unseen ads on both Apple and Android devices. Advertisers are paying about $850 million for these ads each year, according to the report, and the apps with the highest rate of ad fraud can burn through 2 gigabytes of data per day on a single device. 

The sheer amount of activity generated by apps with fake ads was what initially exposed the scam. Forensiq noticed that some apps were calling up ads at such a high frequency that the intended audience couldn’t possibly be actual humans. The apps, says Forensiq, were hitting these numbers by showing as many as five ads in the background for every ad visible to users. Some apps continued to scroll through ads even after the app had been closed. 

Unlike many other types of malicious software, the apps also serve a legitimate purpose. Many of them are simple games or utilities, and they seem to have real users.“It’s not Angry Birds or Candy Crush, but these are apps that people play and enjoy and some real effort went into developing,” says David Sendroff, Forensiq’s founder and chief executive. 

Forensiq’s report doesn’t actually name any of the apps, but the firm revealed several of the suspicious apps to me. One of them was a breastfeeding app for Apple devices published by American Baby magazine and app developer Sevenlogics; the invisible ads tout Olive Garden, Amazon, and IBM. The newest version of the app has an average rating of 4 stars. One review, posted by someone describing herself as "Annoyed and Frustrated Mommy," expressed mixed feelings about the product. While it was a "livesaver" for a new mom, she found that 

"after a few months the freezes, restarts, and crashes became more frequent and persistent. I also noticed the pop up ads became more tricky to avoid accidentally clicking on, and now I swear my phone takes me straight to the App Store when I haven't even touched the screen after the pop up appears. Unfortunately it's too late for me to switch apps because all my info is wrapped up in this one." 

Alex Cheng, the president of Sevenlogics, says it hasn't added any code that would run invisible ads. He says the company does work with advertising technology who regularly change their own technology. "We are monitoring very closely with our ad vendors to prevent any intrusive advertisements," he says. A spokesman for Meredith Corporation, the publisher of American Baby, declined to comment. 

Complaints about crashing and slowness are also common on reviews for a series of silly games for Android devices with names like Waxing Eyebrows, Celebrity Baby, and Vampire Doctor, all published by the developer Girls Games Only. Forensiq’s video shows these also running code that produces a steady stream of unseen advertisements from companies like Microsoft, Coca-Cola, and Mercedes Benz. The performance issues are almost certainly caused by the extra load resulting from the apps' secondary functions, says Forensiq.

Girls Games Only did not respond to requests for comment. On Thursday its apps were suspended from the Google Play store. 

Surreptitiously running advertisements is a violation of the rules governing all apps available in Apple and Android stores. But it's tricky to identify what’s happening. The best way, says Sendroff, would be to monitor bandwidth usage over time—something Google and Apple might not have the ability to do. Apple declined to comment for this story, and Google didn’t respond to an interview request. 

The main limiting factor for this particular flavor of ad fraud may be economic. The average ad rates for mobile ads on the apps in the Forensiq report hovered around $1 per thousand views. People intent on making a living through a scam on mobile devices probably have more lucrative options.

Lookout, a security firm focused on mobile threats, says that most of the growth in mobile malware in the U.S. is coming from so-called ransomware, where criminals commandeer a phone and then demand money to unlock it. “Why am I going to do ad monetization when I can have something pop up and say I’m not going to unlock your device unless you give me $200,” says Michael Bentley, Lookout’s head of research and response. “The payoff per phone is just so low.” 

That said, the risk in ad fraud is also much lower. Fraud is endemic in the online advertising world, and the victims—the brands paying for the ads—often lose track of where their ads end up once they are traded through several automated layers of middlemen. If even the victims of a crime are unaware it’s going on, there’s probably less of a chance of anyone getting caught. 

Update 7/23 4 pm: The Google Play Store has suspended Waxing Eyebrows, Celebrity Baby, and Vampire Doctor.

Update 7/24 11 am: Adds comment from Sevenlogics in seventh paragraph.

 

Before it's here, it's on the Bloomberg Terminal. LEARN MORE