Is your Android phone feeling hot to the touch, acting sluggish, in need of frequent charges, or using dramatically more data than it used to? It may be a victim of DrainerBot, a major fraud operation distributed through Google Play apps with more than 10 million downloads, researchers said Wednesday.
The apps catered to a wide variety of interests, from makeup and beauty to mobile gaming. Under the hood, the apps download hidden video ads to the phones that consume as much as 10GB per month of bandwidth. While the videos are never viewed or visible by anyone, the downloads generate fraudulent advertising revenue each time a legitimate end user device appears to view a video while visiting a spoofed but legitimate publisher site.
“DrainerBot is one of the first major ad fraud operations to cause clear and direct financial harm to consumers,” said Eric Roza, senior vice president and general manager of Oracle Data Cloud, which uncovered the scheme. “DrainerBot-infected apps can cost users hundreds of dollars in unnecessary data charges while wasting their batteries and slowing their devices.”
Phone owners aren’t the only ones harmed by DrainerBot. The apps bill advertisers for video downloads that are never viewed, and it causes harm to publishers whose domains are spoofed.
Oracle said hundreds of popular consumer Android apps and games were, or had in the past been, infected with the DrainerBot code and that collectively they were installed more than 10 million times. The company provided the names of just five of the infected apps: Perfect365, VertexClub, Draw Clash of Clans, Touch ‘n’ Beat - Cinema, and Solitaire: 4 Seasons. While the company is providing a complete list to security researchers, a spokeswoman declined to provide it to Ars. Not all of the apps Oracle found are currently infected, the spokeswoman said.
Am I infected?
There are several ways to figure out if your device is running an infected app. The best method is to check installed apps for high data usage. To do this from Android 9, go to Settings > Network and Internet > Data Usage > App Data Usage. Then see how much data the top-listed apps are consuming in the background. DrainerBot apps are likely to consume data in the gigabytes per month.
Other signs that a phone is running DrainerBot-infected apps are sluggishness and devices that feel warm even when they're not being used.
Of the five apps identified by Oracle as being infected, only Solitaire: 4 Seasons (Full) appeared to still be available on Play. Google is generally quick to remove abusive apps once they’re reported. The company continues to struggle to keep them out of the market in the first place.
Oracle said that DrainerBot appears to be distributed by a software development kit provided by Tapcore, a Netherlands-based company that says it helps developers generate revenue from pirated versions of their apps. Tapcore’s website doesn’t provide a means for journalists to send questions, and company representatives didn’t respond to a Twitter message. In a blog post found after Ars published this article, Tapcore officials denied having playing any "intentional" role in the DrainerBot scheme.
"At the moment of first hearing about the DrainerBot ad fraud scheme, Tapcore began immediate internal investigation to see whether any such code was ever distributed through its network without its knowledge," company officials wrote. "The company is ready to cooperate with all interested parties and provide all results on its findings. Openness and transparency is paramount in the mobile advertising industry, and Tapcore is prepared to share all data and results."
This article was updated to add comment from Tapcore.