Google, Roku and others take down CTV ad fraud botnets

Google and Roku along with a group of cybersecurity and connected TV advertising companies teamed up to take down an ad fraud botnet operation responsible for an average of 650 million ad requests a day.

HUMAN (formerly White Ops), a cybersecurity company that specializes in protecting enterprises from bot attacks, along with recently formed Human Collective – with members including Omnicom Media Group, The Trade Desk and Magnite – spearheaded the disruption efforts across Google and Roku platforms.

The botnet (dubbed PARETO) consisted of nearly a million infected mobile Android devices pretending to be millions of people watching ads on products running Fire OS, tvOS, Roku OS and other CTV platforms. It used dozens of mobile apps to impersonate or spoof more than 6,000 CTV apps, which HUMAN said is attractive to fraudsters since CTV ads are often priced higher than mobile ads.

“Publishers are paid in proportion to the traffic they sell, and CTV commands some of the highest prices in display advertising. By selling spoofed traffic, CTV fraudsters exploit the good reputation of the CTV device manufacturers, to sell a wholly illusory product, for top dollar,” said Michael McNally, chief scientist at HUMAN, in an email.

RELATED: 18% of OTT advertising inventory is fraudulent: report

HUMAN said its Satori Threat Intelligence and Research Team found the PARETO operation in 2020 and has been working to prevent its impacts to clients since then. The Google and Roku Stores have since taken down the malware applications. The cloud provider hosting PARETO’s command-and-control server (C2) was also notified and the C2 is no longer in operation.

“HUMAN customers have also been advised of the risk and each are acting at their discretion to cease purchasing from the unreliable suppliers,” McNally said.

DoubleVerify also this week said it confirmed seven fraud schemes targeting CTV devices over the past 18 months are part of one large, coordinated operation identified as OctoBot. The company said it caught the most recent variant of OctoBot, which has been operating since November 2019, in February and shut it down within 24 hours. MultiTerra, one of the variants within the OctoBot, was estimated to have had a $1 million per month impact in diverted spend, and SneakyTerra, another variant, was estimated to have had a $5 million per month impact.

RELATED: Innovid, DoubleVerify score new ad measurement accreditations from MRC

“We’ve been seeing fraudsters aggressively target the CTV space, but the OctoBot fraud scheme family, with its multiple tentacles, is unprecedented,” said DoubleVerify CEO Mark Zagorski in a statement. “OctoBot displays a high degree of ingenuity in its evolving approach — with each variant operating in a unique manner.”

McNally said in ad fraud, his company often notices frequent recurrence of variations over time due to weak industry practices which leave CTV at risk of spoofing.

“To combat fraud, we recommend industry collaboration via the Human Collective to continually identify and root out fraudulent purchases, full adoption and enforcement of the IAB transparent supply chain initiative and technical implementations that provide superior anti-fraud signals, such as hardware attestation, inclusion of anti-fraud SDKs, and similar mechanisms,” he said.

HUMAN wasn’t able to share a dollar amount related to PARETO’s impact – Roku said the scheme impacted less than 0.1% of Roku devices – but McNally said the operation consisted of nearly one million infected devices spoofing millions of connected TV devices and hundreds of billions of fake advertising requests.

HUMAN also observed a smaller but connected effort by a single developer on Roku’s Channel Store with apps connected to PARETO. The apps linked to the developer were designed to communicate with the server that operates the PARETO botnet. All together PARETO’s primary operation was associated with 29 Android apps and the secondary operation was associated with one Roku developer delivering the malware to infected devices.

“What’s especially striking about this operation is its scale and sophistication,” said McNally. “The actors behind PARETO have a fundamental understanding of numerous aspects of advertising technology and used that to their advantage in how they hid their work within the CTV ecosystem.”