By Nate Clark, Head of IAS Threat Lab
The digital landscape is prioritizing privacy now more than ever before. Internet users worldwide understandably want to ensure security when browsing the web. However, fraud can be found anywhere – even in apps that may identify themselves as safe.
The Scheme
The IAS Threat Lab recently uncovered an elaborate fraud scheme in a virtual private network (VPN) app targeting Android phones called Oko VPN. Developed by VIP Internet Security LTD., the app was labeled as a free VPN service that anonymizes a user’s web traffic and made available in the Google Play Store in July 2022.
In reality, Oko VPN was hijacking IP addresses, turning users’ phones into fraud-relaying devices. Any Android phone that installed the app unwittingly donated its IP address for use by Oko VPN to commit ad fraud. The fraudsters exploited the user’s IP address to mask the origin of traffic to send fake ad impressions to video streaming platforms. This IP hijacking scheme is referred to as “residential proxying.”
This app also posed a risk for illicit material/traffic going through users’ home networks, making it possible to make further attacks on users’ home networks – which emphasized the need to remove the app from the Google Play Store immediately.
The Takedown
Upon detecting the malicious app in March 2023, the IAS Threat Lab contacted the Google Play Store team who conducted their own investigation and confirmed the Threat Lab’s findings. After the Threat Lab identified the scheme, IAS notified Google, which immediately removed the app and enforced Google Play Protect, which warns users and prompts them to uninstall the malicious app.
The Impact
Oko VPN experienced exponential growth, with more than a million users at the time of its takedown. The Threat Lab team estimates that Oko VPN was generating approximately 100 million fraudulent impressions per month at the time of its removal from the Google Play Store. The team estimates that $10 million in advertiser spend was wasted on this scheme.
Fraud schemes like this are unfortunately quite common – and advertisers need to be aware. The IAS Threat Lab is constantly working to identify new and novel fraud schemes, protecting advertisers, publishers, and consumers from digital ad fraud.
IAS established the Threat Lab to provide targeted reconnaissance of new and emerging fraud schemes. The team employs data analysis and reverse engineering to uncover fraud schemes and determine how they work, which allows the team to protect advertisers, publishers and consumers, by working with partners and authorities to take down the fraudsters.
