MAdFraud: Investigating Ad Fraud in Android Applications

Jonathan Crussell, Ryan Stevens, Hao Chen

Many Android applications are distributed for free but are supported
by advertisements. Ad libraries embedded in the app fetch content from
the ad provider and display it on the app's user interface. The ad
provider pays the developer for the ads displayed to the user and ads
clicked by the user. A major threat to this ecosystem is ad fraud,
where a miscreant's code fetches ads without displaying them to the
user or \clicks" on ads automatically. Ad fraud has been extensively
studied in the context of web advertising but has gone largely
unstudied in the context of mobile advertising.  We take the First
step to study mobile ad fraud perpetrated by Android apps. We identify
two fraudulent ad behaviors in apps: 1) requesting ads while the app
is in the background, and 2) clicking on ads without user
interaction. Based on these observations, we developed an analysis
tool, MAdFraud, which automatically runs many apps simultaneously in
emulators to trigger and expose ad fraud. Since the formats of ad
impressions and clicks vary widely between different ad providers, we
develop a novel approach for automatically identifying ad impressions
and clicks in three steps: building HTTP request trees, identifying ad
request pages using machine learning, and detecting clicks in HTTP
request trees using heuristics. We apply our methodology and tool to
two datasets: 1) 130,339 apps crawled from 19 Android markets
including Play and many third-party markets, and 2) 35,087 apps that
likely contain malware provided by a security company. From analyzing
these datasets, we found that about 30% of apps with ads make ad
requests while in running in the background. In addition, we found 27
apps which generate clicks without user interaction. We found that the
click fraud apps attempt to remain stealthy when fabricating ad
traffic by only periodically sending clicks and changing which ad
provider is being targeted between installations.