Researchers Uncover Advertising Scam Targeting Streaming-TV Apps
Fraudsters infected nearly one million mobile devices with software that mimicked streaming-TV apps and collected revenue from unsuspecting advertisers, according to cybersecurity company Human Security Inc., exposing vulnerabilities in a fast-growing corner of the digital ad market.
The fraudsters spoofed an average of 650 million ad placement opportunities a day in online ad exchanges, stealing ad dollars meant for streaming apps available on popular streaming-TV platforms run by
Apple Inc. and
Google, Human Security said.
The researchers described the fraud operation as sophisticated, but said it could be stymied if digital ad players strictly followed industry guidelines for tracking the origins of traffic and implemented certain security features. Human Security didn’t provide an estimate for how much money the fraudsters collected.
Roku said the scheme didn’t affect advertisers who bought ads from Roku directly. “Roku is committed to fighting ad fraud in every form and to the development of leading practices for staying ahead of fraud globally,” said Willard Simmons, vice president of product management at Roku.
A Google spokesman said that the company has sophisticated defenses in place to protect its ad systems against fraud and issues credits or refunds when necessary.
Representatives for Amazon and Apple declined to comment.
The so-called connected-TV industry—streaming apps and the platforms that distribute them—has been growing quickly and will command $13.4 billion in ad spending in 2021, according to research firm eMarketer. The sector’s high prices—ad space often goes for around $25 per thousand impressions, compared with a few dollars for static display ads—make it an attractive target for fraudsters.
“Measurement and security companies will just play whack-a-mole, as long as the industry hasn’t upgraded to better defenses,” said Michael McNally, Human Security’s chief scientist.
Fraud has plagued the digital-advertising industry since its inception. Most online ad buying happens through exchanges rather than directly from sellers. Buyers bid for available inventory, generally targeting certain kinds of audiences, and are matched with sellers by middlemen. Ad space in the connected-TV industry is often bought this way. Mr. McNally said that as the streaming ad industry grows, security safeguards aren’t keeping pace.
“Buyers in principle have the power here,” he said. “They’re the ones that fund the online ecosystem.”
The researchers identified the company behind the apps that facilitated the fraud as TopTop Media, a subsidiary of Tel Aviv-based M51 Group. Neither TopTop Media nor M51 executives responded to requests for comment.
In the alleged scam, users downloaded what looked like legitimate apps on Android devices—games or digital flashlights, for example—and were unaware the apps contained code to perpetrate ad fraud, Human Security said. TopTop Media created 29 such apps, according to Human Security. Google, the maker of the Android operating system for phones, said it removed the apps after being notified of the alleged scheme.
The TopTop apps quietly sent signals to digital ad exchanges pretending to be some 6,000 apps on popular streaming-TV operating systems. The fraudsters duped the advertisers, who believed they were buying space on real apps, the researchers said.
Human Security dubbed the scheme “Pareto,” after the eponymous economics principle, which holds that a small number of actors—or in this case, apps—could do a large amount of damage.
Mr. McNally said future schemes could be headed off if real streaming devices, and the ad space sold in them, had identifiers that all industry stakeholders could recognize. Google, Roku and major advertising technology companies have said they are participating in industry discussions to improve security for connected TV.
Write to Patience Haggin at email@example.com and Jeff Horwitz at Jeff.Horwitz@wsj.com
Copyright ©2020 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8