A research initiative from the US, Australia and China has identified a new strain of click fraud, dubbed ‘Humanoid Attack' that slips past conventional detection frameworks, and exploits real-life user interactions in mobile apps in order to generate revenue from fake clicks on embedded third-party framework advertisements.
The paper, led by Shanghai Jiao Tong University, contends that this new variation on click fraud is already widely diffused, and identifies 157 infected apps out of the top-rated 20,000 apps across the Google Play and Huawei app markets.
One HA-infected social and communication app discussed in the study is reported to have 570 million downloads. The report notes that four other apps ‘produced by the same company are manifested to have similar click fraud codes'.
To detect apps which feature Humanoid Attack (HA), the researchers developed a tool entitled ClickScanner, which generates data dependency graphs, based on static analysis, from bytecode-level inspection of Android apps.
The key features of HA are then fed into a feature vector, enabling fast app analysis on a dataset trained on non-infected apps. The researchers claim that ClickScanner operates at less than 16% of the time taken by the most popular similar scanning frameworks.
Humanoid Attack Methodology
Click fraud signatures are typically revealed through identifiable patterns of repetition, unlikely contexts, and a number of other factors where mechanization of anticipated human interaction with advertising fails to match the authentic and more random usage patterns that occur across real users.
Therefore, the research claims, HA copies the pattern of real-world user clicks from an infected mobile Android app, so that fake ad interactions match the user's general profile, including active times of use, and various other signature features that indicate non-simulated usage.
HA appears to utilize four approaches to simulate clicks: randomizing the coordinates of events sent to dispatchTouchEvent in Android; randomizing the triggering time; shadowing the real clicks of the user; and profiling the user's click patterns in code, before communicating with a remote server, which may subsequently send enhanced fake actions for HA to perform.
HA is implemented differently across individual apps, and also quite differently across categories of apps, further obfuscating any patterns that might be easily detectable by heuristic methods, or established, industry-standard scanning products that are expecting better-known pattern types.
The report observes that HA is not evenly distributed among types of apps, and outlines the general distribution across app genres in the Google and Huawei stores (image below).
Humanoid Attack has its preferred target sectors, and features in only eight categories of the 25 studied in the report. The researchers suggest that the variations in distribution may be due to cultural differences in app usage. Google Play has greatest share in the US and Europe, while Huawei has a greater hold on China. Consequently the pattern of Huawei infection targets the Books, Education and Shopping categories, while in Google Play the News, Magazines and Tools categories are more affected.
The researchers, who are currently communicating with vendors of the affected apps in order to help remediate the issue, and who have received acknowledgement from Google, contend that Humanoid Attack has already caused ‘huge losses' to advertisers. At the time of the paper's writing, and prior to liaising with vendors, the report states that of 157 infected apps across the Google Play and Huawei stores, only 39 had yet been removed.
The report also observes that the Tools category is well-represented across both markets, and is an attractive catchment due to the unusual levels of permissions that users are willing to grant to these types of apps.
Native Vs. SDK Deployment
Among the apps identified as subject to Humanoid Attack, the majority do not use direct code injection, but instead rely on third-party ad SDKs, which, from a programming point of view, are ‘drop in' monetization frameworks.
67% of the infected Huawei apps and 95.2% of infected Google Play apps leverage an SDK approach that's less likely to be discovered by static analysis, or by other methods that concentrate on the local code of the app rather than the wider behavioral fingerprint of the app's interactions with remote resources.
The researchers compared the efficacy of ClickScanner, which uses a classifier based on Variational Autoencoders (VAEs), against VirusTotal, a detection platform that integrates many other platforms, including Kaspersky and McAfee. Data was uploaded to VirusTotal twice, with a six-month interval to discount possible anomalous of erroneous results from VirusTotal.
58 and 57 apps in Google Play and the Huawei AppGallery, respectively, bypassed VirusTotal's detection capabilities, according to the research, which also found that only five infected apps could be detected by more than 7 detection engines.
Malicious Ad SDKs
The report observes the presence of an undisclosed malicious advertising SDK in 43 apps studied, which has ‘a greater impact' than others reported, since it is designed to click an ad a second time if the user clicks on it once, forcing the user to participate in fraudulent activity.
The report notes that this malicious SDK achieved 270 million installations since being made available via Google Play, and that the GitHub code for it was deleted in November of 2020. The researchers surmise that this may have been in response to a ramping-up of Google's own anti-fraud measures.
Another SDK, which has reached an install base of 476 million, ‘helps' users to autoplay videos, but then automatically clicks any ads that appear when the video is paused.