For years, scammers have been hijacking people's computers into so-called botnets, opening hidden browser windows and automatically clicking on ads. That's fooling advertisers and their ad agencies into thinking real people saw their ads, costing them billions of dollars a year in wasted spending.
Now, the fraudsters have started moving to mobile phones. Using a technique that one ad fraud detection company calls mobile device hijacking, the scammers use mobile apps such as games that run as many as 20 ads a minute, then simulate random clicks. Forensiq, a New York firm that provides ad fraud detection and prevention, today is releasing one of the first studies to look at the relatively new technique.
Already, the company says, more than 12 million devices have been infected--about 1% of devices Forensiq observed in the U.S. and 2% to 3% in Europe and Asia. Forensiq figures that the hijacking affects some 13% of all in-app advertising impressions.
The cost to advertisers is adding up quickly, Forensiq founder and CEO David Sendroff said in an interview. He projects that in-app ad fraud, which the company estimated at $857 million last year, will pass $1 billion worldwide this year.
Users generally don't see any of this happening on their phone, at least not directly. But the apps--some 5,000 identified by Forensiq--still can be a plague on their phones. Forensiq found that in as little as an hour, a malicious app can download two gigabytes of images and videos, draining battery life and potentially burning through data limits.
By the way, the 5,000 apps identified by Forensiq are mostly obscure games and other apps intended specifically to hijack the phone, not popular ones such as Candy Crush or Angry Birds. But the company did find another problem for even some popular apps such as the Wickr messaging app and BlackBerry Messenger (BBM). They may not display ads but may be the victim of app spoofing, in which a dodgy publisher or ad network may change the app headers as they're passed to a mobile ad exchange to make them look like a different app.
The hijacking threat won't be easy to solve, partly because of the nature of apps. For one, antivirus software can't detect it. "It takes some skills to find these bad guys," Sendroff says, and advertisers will need to work with services such as--yes--Forensiq to catch the malicious apps.
Sendroff also figures that
What about the rest of us? There are several ways users can protect against their phones getting hijacked, says Sendroff:
* Read reviews of an app on the app store before installing it. If a lot of people are complaining that it eats up battery life or slows down their device, that's a red flag.
* Stick with the popular apps. They aren't trying to hijack you into anything except using their apps.
* Look at the permissions the app asks for. Don't install it if anything looks suspicious, such as a request to run at startup, prevent a device from sleeping, change content on an SD card, and get access to location services while running in the background.
* Disable Internet access to the app in its settings if it doesn't seem to require a connection. That will prevent ads from being called. Most simple games, for instance, don't really need Internet access.
* In your phone's settings, see if any apps are using seemingly excessive bandwidth for their purpose. That's another red flag.
* Regularly uninstall apps you're not using. Malicious apps can work in the background even after you restart your phone.
