Moat

DrainerBot Information & Mitigation

Overview

DrainerBot is a sophisticated ad fraud operation that uses malicious code in mobile apps to deliver fraudulent, invisible video ads to Android devices.

The infected app reports back to the ad network that each video advertisement has appeared on a legitimate mobile publisher site, but the sites are spoofed, not real. Fraudulent video ads do not appear onscreen in the apps and are never seen by users.

This fraudulent activity appears to be driven by code in an SDK ("Software Development Kit") which has been installed in hundreds of different Android apps.

Infected apps consume significant bandwidth and battery, with tests and public reports indicating an app can consume more than 10 GB/month of data or quickly drain a charged battery, even if the infected app is not in use or in sleep mode.

App developers may have installed the SDK to help monetize pirated installations of their apps through legitimate advertising. However, the SDK appears to have hijacked legitimate installs of their apps to load hidden and fraudulent ads.

Consumers

If you are an Android user, here are some potential signs that you may be impacted by DrainerBot:

  • You have downloaded an app that has incorporated the DrainerBot app and recently has been generating fraudulent traffic, including "Perfect365," "VertexClub," "Draw Clash of Clans," "Touch 'n' Beat – Cinema," or "Solitaire: 4 Seasons (Full);"
  • Your phone gets hot and battery life quickly drains even when the phone is not in active use;
  • Your phone is using dramatically more data than it did prior to installation of a particular app or set of apps; and/or
  • Your phone is sluggish and apps crash with great frequency.

Here are some steps you can take if you have an app that you think might be infected with DrainerBot on your Android device:

If you would like to delete an app

Step 1: Open your device Settings.

Step 2: Select Apps and notifications.

Step 3: Select the app you want to uninstall. (If you don't see it, select 'See all apps')

Step 4: Select Uninstall.

If you would like to restrict permissions for an app

Step 1: Open the Settings app.

Step 2: Select Apps or Application Manager (based on device).

Step 3: Select the app you want to update.

Step 4: Select Permissions.

Step 5: Toggle specific permissions on or off.

You should take additional steps to review your phone’s security settings and app permissions to be sure they are accurate and appropriate.

Review app data usage on your device and beware of apps that have very high backgrounded data usage

Step 1: Select Settings

Step 2: Navigate to Data Usage

Step 3: Select App Data Usage

Step 4: See how much data is being used in a backgrounded state

Step 5: Restrict apps with excessive backgrounded data usage

Adjust the permissions given to installed apps

Step 1: Remove backgrounded data permissions (described above)

Moat Analytics Customers

The Moat Analytics team updated its IVT identification and screening systems to ensure that DrainerBot traffic has been clearly identified as fraudulent and blocked, when possible. If you have any additional questions about your account, please contact your Moat Analytics Account Manager.

Threat Intelligence Community

Oracle believes that information sharing is critical when new types of threats such as DrainerBot are discovered, so companies across the industry can work together and protect the digital advertising supply chain, customers, and the public.

It is rare that a botnet is linked to a single primary code source, but helpful from a remediation standpoint if it is. When that is the case, sharing the SDK allows companies across the digital advertising supply chain to identify and address the threat, thus protecting their businesses and consumers.

To assist in that process, information about the SDK that appears to be the vector for distribution of DrainerBot is available to security professionals.

  • App developers should review their products to see if any have incorporated the SDK and take appropriate remediation steps, if so.
  • Anti-virus providers and security companies can use the information in the SDK to update their signature settings or other tools to find and take the appropriate actions for app that have incorporated the SDK.
  • Ad fraud detection companies can use the SDK to filter or track ad impressions being generated by apps with it installed.

To request a list of infected apps, sample infected APKs (Android Package Kits), the SDK, and the SDK documentation, security professionals should contact drainerbot_ww@oracle.com.