Beware of DrainerBot! It can drain your data and your mobile device’s battery life

• Researchers observed a new Ad fraud campaign dubbed ‘DrainerBot’ which plays invisible ad videos in Android devices via infected apps.
• The ad fraud scheme has been distributed via infected Android applications that have almost 10 million downloads.

Researchers from Oracle observed a new Ad fraud campaign dubbed ‘DrainerBot’ which plays ad videos in Android devices via infected apps. The DrainerBot ad fraud scheme uses malicious codes in Android apps to deliver ad videos to mobile devices that have installed the infected apps. The ad fraud scheme has been distributed via infected Android applications that have almost 10 million downloads.

Invisible ad videos

The delivered ad videos do not appear onscreen in the apps and are invisible to users. As and when each advertisement is viewed on the legitimate mobile publisher’s site, the infected app reports to the ad network connected to the DrainerBot campaign.

“The infected app reports back to the ad network that each video advertisement has appeared on a legitimate mobile publisher site, but the sites are spoofed, not real,” researchers describe in a blog.

Oracle researchers noted that the infected apps playing invisible ad videos can consume more than 10 GB/month of data and can quickly drain a charged battery, even if the infected apps are not in use or in sleep mode.

Malicious SDK

• This DrainerBot ad fraud is driven by code in a Software Development Kit (SDK) which has been installed in several Android apps.
• App developers might have installed the SDK to detect pirated installations of their apps and monetize the pirated installations through legitimate advertising.
• However, the SDK appears to have hijacked legitimate installs of their apps to load invisible fraudulent ads.

Signs that you might have been impacted by DrainerBot ad fraud

The following potential signs indicate that you’re impacted by the DrainerBot ad fraud operation,

• If you have downloaded mobile applications such as Perfect365, VertexClub, Draw Clash of Clans, Touch 'n' Beat – Cinema, or Solitaire: 4 Seasons (Full) that has incorporated the DrainerBot malicious code, then you might be a potential victim of DrainerBot campaign.
• If your mobile device gets hot and battery life quickly drains even when the phone is not in active use, then you might have been potentially affected by DrainerBot.
• If your mobile phone is consuming more data than it did prior to the installation of particular apps.
• If a mobile app crashes frequently, then it might be a DrainerBot infected application.

Researchers’ recommendations

• App developers should review their applications to check if any app has incorporated the SDK and if so, they must take appropriate remediation steps.
• Anti-virus vendors and security companies can use the information in the SDK to update their signature settings to detect apps that have incorporated the SDK.
• Ad fraud detection companies can use the SDK to filter or track bad ad impressions that are generated by mobile apps.

“The discovery of the DrainerBot operation highlights the benefit of taking a multi-pronged approach to identifying digital ad fraud by combining multiple cloud technologies. Bottom line is both individuals and organizations need to pay close attention to what applications are running on their devices and who wrote them,” Kyle York, VP of product strategy at Oracle Cloud Infrastructure said.