‘PARETO’ Connected TV botnet discovered
April 22, 2021
By Colin Mann
Cybersecurity company HUMAN (formerly White Ops) has confirmed the discovery and disruption of a new, highly–sophisticated botnet focused on defrauding the Connected TV (CTV) advertising ecosystem.
Omnicom Media Group, The Trade Desk, and Magnite, flagship members of The Human Collective—a newly-launched initiative that brings together players throughout digital advertising to create a collectively protected ecosystem—collaborated with HUMAN, with the support of Google and Roku in leading the disruption efforts.
PARETO is nearly a million infected mobile Android devices pretending to be millions of people watching ads on smart TVs and other devices. The botnet used dozens of mobile apps to impersonate or spoof more than 6,000 CTV apps, accounting for an average of 650 million ad requests every day.
HUMAN’s Satori Threat Intelligence and Research Team found the PARETO operation in 2020 and has been working with the HUMAN team to prevent its impacts to clients ever since. The operation is named for The Pareto Principle, an economics concept that dictates that 80 per cent of the impact in any given situation is carried out by only 20 per cent of the actors.
“CTV provides massive opportunities for streaming services and brands to engage with consumers through compelling content and advertising,” said HUMAN CEO and Co-Founder Tamer Hassan. “Because of this opportunity, it is incredibly important for the CTV ecosystem and brands to work together through a collectively protected advertising supply chain to ensure fraud is recognised, addressed and eliminated as quickly as possible.”
PARETO worked by spoofing signals within malicious Android mobile apps to impersonate consumer TV streaming products running Fire OS, tvOS, Roku OS, and other prominent CTV platforms. The botnet took advantage of digital shifts that were accelerated by the pandemic, hiding in the noise in order to trick advertisers and technology platforms into believing ads were being shown on CTVs. This particular approach is lucrative for fraudsters, as pricing for ads on connected TVs is often substantially higher than pricing on mobile devices or on the web.
“We appreciate the work of the research community, and value our collaboration with HUMAN,” said Per Bjorke, Product Manager, Ad Traffic Quality at Google. “Responsible disclosure and collaboration benefits the entire ecosystem, and we look forward to working with them on additional research in the future.”
According to HUMAN, the PARETO operation has been incredibly sophisticated and evasive over the last year. However, for each spoofing cycle, as PARETO launched a new disguise for their fake traffic, HUMAN was able to detect and continuously innovate techniques to protect our customers with HUMAN’s Advertising Integrity solution.
Finally, after a year of this continuous and effective threat identification and resolution, and driven by a sequence of counter measures and PARETO adaptations, HUMAN and its partners—including Omnicom Media Group, The Trade Desk, Magnite, Google, and Roku—disrupted the operation.
“Roku is committed to fighting ad fraud in every form and to the development of leading practices for staying ahead of fraud globally,” stated Willard Simmons, VP of Product Management at Roku. “We were pleased to support HUMAN’s efforts to disrupt the PARETO operation. While this scheme impacted less than 0.1 per cent of Roku devices, our approach to creating a premium curated advertising marketplace ensured that not a single Roku advertiser was ever at risk of being impacted. The PARETO case presents yet another reminder of the importance of taking fraud seriously, working with the best fraud detection partners and ensuring both the supply and demand side of the advertising ecosystem works only with trusted verified partners.”
HUMAN also observed a far smaller but connected effort attempting to spoof consumer streaming platforms. The operation detected a single developer on Roku’s Channel Store with apps connected to PARETO. The apps linked to the developer, impacting less than one half of one per cent of Roku’s active devices globally, were designed to communicate with the server that operates the PARETO botnet. The primary operation was associated with 29 Android apps and the secondary operation was associated with one Roku developer delivering the malware to infected devices. These apps have all been removed from the marketplaces on which they were operating, and lists of the apps are available as appendices to HUMAN’s technical analysis of the botnet. Roku has also permanently disconnected the impacted apps from use.
“What’s especially striking about this operation is its scale and sophistication,” noted HUMAN Chief Scientist Michael McNally. “The actors behind PARETO have a fundamental understanding of numerous aspects of advertising technology, and used that to their advantage in how they hid their work within the CTV ecosystem. Their efforts included low-level network protocol spoofing, which is especially hard to detect, but which our team at HUMAN spotted.”
The Satori Threat Intelligence and Research Team used numerous tools to identify the sources of the botnet, whose information has been shared with law enforcement.