DrainerBot: The Mobile Ad Fraud Operation Stealing Your Data

Sam Carr | June 25th, 2020

drainerbot cover

Ad Fraud

blog sidebar

Have you ever run out of mobile data faster than expected? Or perhaps your mobile phone is always red hot, even when it’s not doing anything.

If you’ve experienced any of these symptoms recently, then you could be a victim of DrainerBot, an ad fraud scheme costing advertisers millions while draining everybody’s mobile resources.

This malware has been hiding in millions of mobile phones secretly draining their battery, mobile data, and other resources in order to help gangs make boatloads of cash.

Yet having been monitored by security analysts for the past several years, there’s much more to this malware that meets the eye.

In this article, we’ll be breaking down what DrainerBot is, how it works, and who it’s affecting. And if by the end of this article you’re convinced your phone might have it, we’ll also be showing you how to banish it for good.

What Is DrainerBot?

what is drainerbot

First discovered by Oracle in February 2019, during a joint collaboration with Oracle and Dyn Acquisitions, DrainerBot is a major mobile ad fraud operation that has infected millions of devices.

The malware is distributed through infected consumer apps that can be downloaded on the Playstore. Once a device is infected, DrainerBot will start to continually run videos in the background of the device unknown to the user.

With no visual videos being shown on the device, this bot can often go unnoticed for a long period of time. Each ad that is displayed in the background is recorded as a legitimate view by the advertising network. This means that advertisers are essentially paying money for non-human views without even realizing it.

This results in advertisers effectively wasting their ad budget on bot views, while the creator behind the bot makes money by acting as a legitimate publisher on the network.

In addition to wasting advertisers ad budgets, the bot also drains the user’s mobile data and battery. While the bot is running, it will use any data method to play the videos, whether its WiFi, 5G, 4G or 3G. Tests and public reports have shown that the bot can consume more than 10GB of mobile data a month while also quickly draining the battery. All while the infected app is not active and the phone is in sleep mode.

As you can see, it’s clear where the name comes from since it drains both the user’s mobile battery and data.

Who Made DrainerBot?

Although there has been plenty of research into the origins of DrainerBot and where it came from, so far there has been no definitive answer. The researchers at Oracle concluded that it was primarily distributed unknowingly via a software development kit (SDK) which was used to build hundreds of popular apps.

This software development kit allows app developers to monetize any illegal copies of their mobile applications by delivering ads to users to claw back lost revenue. Any developer who used this SDK in their app unknowingly turned their application into ad fraud malware which DrainerBot could take advantage of. At the time DrainerBot was discovered, the SDK has been incorporated into more than 3,000 apps and served over 150 million ad requests a month.

The company behind the infected software development kit, Tapcore, denied any involvement in the malware in a press release shortly after the bot’s discovery. They also said they would be launching a full investigation into the bot and sharing the results to help make the industry more transparent and to clear their name.

Even though there has been plenty of research into the ad fraud scheme, researchers still don’t know who benefitted from it and who made all the money. That will remain a mystery.

Common DrainerBot Symptoms

drainerbot symptoms

Now you know a bit more about DrainerBot and how it works, what are the common symptoms you should be checking on your mobile device?

The first and most obvious sign that there might be something wrong with your mobile device is if certain apps keep crashing your phone. This usually happens when an app uses a large number of resources behind the scenes. In this scenario, DrainerBot uses plenty of mobile resources without the user being aware. They usually only notice when their data bill arrives at the end of the month.

This brings us to another common symptom of DrainerBot: excessive data usage in a short period of time. If you regularly use 5GB of data a month and suddenly it jumps to 15GB, then you should be investigating the drastic increase. DrainerBot can quickly increase your monthly data usage by 10GB or more from installing an infected app. So any large data increases could be something running in the background of your phone (or maybe you’re just watching YouTube videos without being on the WiFi!).

Just as using a lot of data in a short period of time can be a clear DrainerBot trait, so is running out of battery incredibly fast. With videos being played non-stop in the background, the bot can quickly drain a full battery in tens of minutes while also becoming incredibly hot. If your mobile is always hot to touch, even when it’s on sleep mode, then there’s a good chance a resource-heavy app is running in the background.

Anyone of these symptoms could mean your phone is infected with DrainerBot, but the most obvious one is the excessive data use. If you close all your apps and excessive amounts of data are still being transferred, then that’s a big sign a suspicious app is running in the background.

How To Get Rid Of DrainerBot

If you’re positive your phone could be infected, then don’t worry, it is possible to restore your phone back to normal without having to buy a new one.

Since DrainerBot can be injected into any app that uses the Tapcore software development kit, the first step is to analyze your existing apps for suspicious behavior. If you have an app that continually crashes your phone or makes it run really slow, then it could be a culprit.

To check if an app is using lots of data in the background:

  • Go to settings
  • Select data usage
  • Select the app you want to check
  • See how much data is being used in a background state
  • Restrict or delete any apps with excessive background data usage

But in order to stop being infected again, you should probably be careful what apps you download.

According to Appbrain, the Tapcore SDK is currently used on seven apps with two of them having over 50 million downloads. Our advice would be to avoid any app that uses Tapcore at the moment until the malware has been eradicated entirely.

This means you should avoid any of the following apps which have been noted to use or have used the Tapcore SDK:

  • Draw Clash of Clans
  • Solitaire: 4 Seasons
  • Robbery Bob
  • Robbery Bob 2: Double Trouble
  • Car Transporter Cargo Plane 3D
  • MyFileManager
  • Gem Calculator For Clash of Clans
  • VertexClub
  • Perfect365
  • Touch ‘n’ Beat – Cinema

DrainerBot is just one of many ad fraud rings out there that is trying to steal advertiser’s ad spend by any means necessary.

With malware and automated bots becoming more and more sophisticated, having the right tool to fight back against them is crucial.

At Lunio, we fight off automated bots every day for our clients and ensure that their PPC ads are only seen and clicked by real humans.

If you’re running any Google Ads campaigns and want to avoid the next big ad fraud scheme, then sign up to our free 14-day trial to protect your ads from all automated bots.

mock

Stop All Advertising Fraud in Seconds

Get Started Now How it Works