Experts Find Botnet Disguised as Millions of People Watching TV

Fraudsters operate off the assumption that it’s way more profitable to think up byzantine ways to cheat people out of money than it is to just, like, work hard and ask for a promotion occasionally. For instance: an Israeli tech company is currently accused of using a very convoluted method to screw advertisers out of buttloads of cash by pretending to be a bunch of people watching TV.

TopTop Media, a subsidiary of Tel Aviv-based M51 Group, bills itself as a tech company focused on solutions for app developers and advertisers. It promises to employ “real-time optimization and user profiling” in order to leverage data it gathers from its “ongoing media acquisition activities” and, you know, deliver profits somewhere in there. However, according to new research from security firm HUMAN, TopTop’s “solutions” are less than desirable.

In an elaborate scheme, the company allegedly created 29 malicious Android apps and then snuck them into the Google Play Store and third-party stores, managing to quietly infect close to a million devices with malware. The infected devices were then allegedly used to build an ever-growing botnet that fraudulently spoofed connections to streaming-TV platforms all over the world, thereby generating illegitimate ad revenue.

In other words, like other ad fraud, the scheme sought to bilk elements of the advertising ecosystem that pay for the opportunity to show ads to consumers. Because advertisers will pay streaming apps for the opportunity to use their platforms to display ads, generating the appearance of being an app like this can get you, in the immortal words of Dire Straits, money for nothing. Thus TopTop’s malicious apps used spoofing sorcery to fool ad exchanges into believing they were just such streaming apps, active on smart TV products from Apple, Amazon, Google, and others— thereby generating the appearance of “millions of people watching ads on smart TVs and other devices,” researchers say. 

The dozens of apps involved in the alleged scam all linked back to the same command and control server. While designed to appear harmless (such as the innocuous-looking flashlight app pictured below), the apps were, in reality, making an average of 650 million bid requests a day. Such requests are automatically triggered by online user engagement—like a click or a “view”—and represent the lifeblood of the online ad industry.

In a different but related case, affiliates of the same company reportedly deployed 36 malicious apps onto the Roku’s Channel Store, which similarly spoofed connections to smart TVs and other streaming products in an effort to garner illegitimate ad revenue.

“The operators behind the botnet took advantage of the recent shift to digital accelerated by the pandemic by hiding in the noise in order to trick advertisers and technology platforms into believing that ads were being shown on consumer streaming devices,” HUMAN researchers write.

Michael McNally, one of the company’s top researchers, said in an interview that in many cases, the apps used were merely open-source programs that had been turned into trojans. The developers repackaged the apps, injected them with malicious code, then attempted to shepherd them onto popular platforms where a lot of people would download them. With nearly a million Android users unwittingly caught up in the vast, rat-king-like botnet, the scheme apparently worked like gangbusters.

HUMAN says that they helped take the botnet down and that the apps involved have all since been deleted from Google and Roku’s stores. Law enforcement has also been notified. We have reached out to the M51 Group for comment on this story and will update it if we hear back from them.