Invisible rogue mobile apps are wasting petabytes of data a day through an advertising hijacking technique researchers say could inflict US$1 billion in damages this year.
Some 5000 malicious Android and iOS apps are hiding the rapidly-reloading ads from users and will continue to operate even if the apps are not in use.
That technique works in part because the apps simulate human interaction.
Researchers Mike Andrews, Antoni Kolev, David Sendroff, and Matt Vella, from New York outfit Forensiq say the apps throw a whopping 20 ads a minute, or 700 an hour. By comparison legitimate apps serve an ad every one to two minutes.
The ads hoover up to two gigabytes a day per mobile device and affect a potential 15 percent of apps.
“Fraudulent apps were observed selling traffic through most major ad exchanges and networks. These apps would establish on average 1100 connections per minute and communicate with 320 ad networks, ad servers, exchanges and data providers in the course of an hour,” the team says in the report [PDF].
“Based on the traffic we observed, we estimate that mobile device hijacking will cost advertisers more than $857 million in 2015 ... we project that the annual impact of in-app fraud will surpass the $1 billion mark globally in 2015.”
The estimated financial impact to advertisers this year is staggering; those operating on the Android platform stand to lose an estimated US$480 million, those on iOS will lose US$363 million, while Windows Mobile ad-men will haemorrhage some US$14 million.
The team says the advertising technique is undetectable by antivirus and bears similarities to the way botnets operate.
They flagged some 13.3 percent of 16.2 billion daily mobile in-app impressions observed are high-risk, noting they use a suite of custom packet capture and analysis tools to monitor device traffic.
The results are based on hundreds of hours of captured data and video, with advertisements mapped to corresponding frames. ®