Security Experts:

Massive Android Botnet Hits Smart TV Ad Ecosystem

Security researchers at Human Security (formerly White Ops) have discovered a massive botnet of Android devices being used to conduct fraud in the connected TV advertising ecosystem.

The sophisticated mobile botnet, dubbed Pareto, is made up on nearly a million infected mobile Android devices pretending to be millions of people watching ads on smart TVs and other devices.

Human Security said the botnet used dozens of mobile apps to impersonate or spoof more than 6,000 CTV apps, accounting for an average of 650 million ad requests every day.

The bot mitigation startup, said its Satori Threat Intelligence and Research Team first discovered the mobile botnet in 2020 and has been working to mitigate the threat while partnering with Google, Roku and others to disrupt the ad-fraud operation.

The Pareto botnet worked by spoofing signals within malicious Android mobile apps to impersonate consumer TV streaming products running Fire OS, tvOS, Roku OS, and other prominent CTV platforms.

Human Security researchers found that the botnet took advantage of digital shifts that were accelerated by the pandemic, hiding in the noise in order to trick advertisers and technology platforms into believing ads were being shown on CTVs. “This particular approach is lucrative for fraudsters, as pricing for ads on connected TVs is often substantially higher than pricing on mobile devices or on the web,” the company said.

The company said the Pareto operators have been “incredibly sophisticated and evasive over the last year,” changing spoofing cycles to come up with new disguises for fake traffic.

Human Security said its researchers also found a distinct-but-connected operation on Roku.  “We found a collection of 36 apps on Roku’s Channel Store that received instructions from the same server that was operating nodes in the Pareto botnet.”

“That server, called a command-and-control (C2) server, sends instructions out to all of the phones that have been infected, and those phones then carry out the activity. These Roku apps, in a similar fashion to the Android-based Pareto apps, were spoofing other smart TV and consumer streaming products,” according to a technical report on the botnet.

view counter
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. Ryan is a veteran cybersecurity strategist who has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan's past career as a security journalist included bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive's ZDNet, PCMag and PC World. Ryan is a director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world. Follow Ryan on Twitter @ryanaraine.