DrainerBot is a sophisticated ad fraud operation that uses malicious code in mobile apps to deliver fraudulent, invisible video ads to Android devices.
The infected app reports back to the ad network that each video advertisement has appeared on a legitimate mobile publisher site, but the sites are spoofed, not real. Fraudulent video ads do not appear onscreen in the apps and are never seen by users.
This fraudulent activity appears to be driven by code in an SDK ("Software Development Kit") which has been installed in hundreds of different Android apps.
Infected apps consume significant bandwidth and battery, with tests and public reports indicating an app can consume more than 10 GB/month of data or quickly drain a charged battery, even if the infected app is not in use or in sleep mode.
App developers may have installed the SDK to help monetize pirated installations of their apps through legitimate advertising. However, the SDK appears to have hijacked legitimate installs of their apps to load hidden and fraudulent ads.
If you are an Android user, here are some potential signs that you may be impacted by DrainerBot:
Here are some steps you can take if you have an app that you think might be infected with DrainerBot on your Android device:
Step 1: Open your device Settings.
Step 2: Select Apps and notifications.
Step 3: Select the app you want to uninstall. (If you don't see it, select 'See all apps')
Step 4: Select Uninstall.
Step 1: Open the Settings app.
Step 2: Select Apps or Application Manager (based on device).
Step 3: Select the app you want to update.
Step 4: Select Permissions.
Step 5: Toggle specific permissions on or off.
You should take additional steps to review your phone’s security settings and app permissions to be sure they are accurate and appropriate.
Step 1: Select Settings
Step 2: Navigate to Data Usage
Step 3: Select App Data Usage
Step 4: See how much data is being used in a backgrounded state
Step 5: Restrict apps with excessive backgrounded data usage
Step 1: Remove backgrounded data permissions (described above)
The Moat Analytics team updated its IVT identification and screening systems to ensure that DrainerBot traffic has been clearly identified as fraudulent and blocked, when possible. If you have any additional questions about your account, please contact your Moat Analytics Account Manager.
Oracle believes that information sharing is critical when new types of threats such as DrainerBot are discovered, so companies across the industry can work together and protect the digital advertising supply chain, customers, and the public.
It is rare that a botnet is linked to a single primary code source, but helpful from a remediation standpoint if it is. When that is the case, sharing the SDK allows companies across the digital advertising supply chain to identify and address the threat, thus protecting their businesses and consumers.
To assist in that process, information about the SDK that appears to be the vector for distribution of DrainerBot is available to security professionals.
To request a list of infected apps, sample infected APKs (Android Package Kits), the SDK, and the SDK documentation, security professionals should contact firstname.lastname@example.org.