You are on page 1of 3
MARK R WARNER soit ‘ana FINANC BANKING, HOUSING, AND. United States Senate puoaet October 25, 2018 ‘The Honorable Joseph J. Simons Chairman Federal Trade Commission 600 Pennsylvania Avenue, NW Washington, D.C. 20530 Dear Chairman Simons, Tam writing to express my continued concern with the prevalence of digital advertising fraud, and in particular the inaction of major industry stakeholders in curbing these abuses. In 2016, Senator Schumer and I wrote Chairwoman Ramirez to express frustration with the growing phenomenon of digital ad fraud. Digital ad fraud has only grown since that time, rising to $7.4 billion in 2017 — and projected to rise to $10.9 billion by 2021.' I am greatly concemed with recent reporting from Buzzfeed, detailing a massive digital advertising fraud scheme that depends, in large part, on a network of compromised Android apps.’ As Buzzfeed reports, this scheme generated hundreds of millions of dollars in fraudulent advertising revenues, with ‘operations spanning more than 125 Android apps and websites. In the course of investigating Russia’s unprecedented interference in the 2016 election, the extent to which many popular online communications technologies have been exploited ~ and their providers caught repeatedly flat-footed — has been unmistakable. More than illuminating the capacity of these technologies to be exploited by bad actors, the revelations of the last year have revealed the dark underbelly of an entire ecosystem. In the same way that bots, trolls, click-farms, fake pages and groups, ads, and algorithm-gaming can be used to propagate political disinformation, these same tools can — and have — been used to assist financial frauds such as stock-pumping schemes, click fraud in digital advertising markets, schemes to sell counterfeit prescription drugs, and efforts to convince large numbers of users to download malicious apps on their phones.? “Poor-Quality Ads Cost Marketers $7.4 Billion Last Year,” Forrester Research (March 30, 2017), available at -ups:/sw wwe forrester.convPoorQua Costs Market io Craig Silverman, “Apps Installed on Millions of Android Phones Tracked User Behavior to Execute A Maltimillion Dollar Ad Fraud Scheme,” Buezfeed (Oct. 23, 2018), available at ups: buzzfeednews,com/artieleeraigsilverman how-t-massive-ad-fraud-scheme-exploited-android-phones- fo > Seo, ¢.g., Robert Gorwa, “Computational Propaganda in Poland: False Ampli Working Paper No, 2017.4, Oxford Internet Institute, University of Oxford, hup:/blogs. ofa.'89/2017-06/Comprop-Poland.pdf; Renae Merle, ‘heme ereated fake news stories to manipulate stock prices, SEC alleges,” Los Angeles Times (July 5, 2017), available af: hip scomilpusinesslafise 20170705-story. html; Lauren Moss, “Xanax ‘drug sold on social media found to be fake,” BBC News (March 26, 2018), available ar: hupsi/vwse. bbe. 19; Danny Palmer, “Android malware found inside apps downloaded According to Buzzfeed, a recent ad fraud ring vividly illustrates this problem, with potentially millions of consumers unwittingly downloading and engaging with apps that captured the behavior of app users in order to program a network of bots mimicking user activity t0 engage in multi-million dollar ad fraud. While these techniques continue to grow more sophisticated, none of this is new for industry stakeholders. Sophisticated, user-mimicking bots have been widely publicized for a number of years now.* According to leading researchers, one in five ad-serving websites is visited exclusively by bots engaged in ad fraud.* Digital ad fraud thrives because of the opaqueness of the programmatic ad market, where user data is bought and sold in ways users are unwitting to, in order to target advertisements in ever more sophisticated ways. At the center of this scheme was a strategy of buying moderately popular, legitimate Android apps ~ seemingly innocuous products like mobile games, a flashlight app, and a healthy eating app — and using the instalfed user base as both a source of fake traffic and behavioral data to model fraudulent bot behavior. Google’s inattention to misconduct within its app store has been a growing concer, In November of 2017, researchers found that over 1 million users had downloaded a spoofed version of WhatsApp.° Researchers also routinely find banking Trojans and other malware in the Google Play store.” While Google made an estimated $20 billion last year from the Google Play store, its mobile app ecosystem features considerably more malware and fraudulent activity than that of its mobile operating system competitors. Google’s inattention to misconduct within its app store also enabled the extensive fraud involved here, In addition to failing to notify users of the change in ownership, Google failed to detect changes in the apps that facilitated extensive user tracking subsequently used for bot behavior. Nor did it detect the myriad indicators of coordinated fraudulent activity between the $00,000 times,” ZDNet (March 26, 2018), available af eps: wuww.rlnel.coranicle‘andruidpualyare-fowme ‘nsldle-apps-down iogded-<0000-time * Thomas Brewster, “Biggest Ad Fraud Ever": Hackers Make $SM A Day By Faking 300M Video Views,” Forber (Dec. 20, 2016), available at: Intps www. sitesthonmasbrewsien 2016.12 20 meshhhot-biggestd-frud- yptes!tutad 34899 "Ruscl Brno, “One in Five Ad-Servng Websites s Visited Exclisively by Fraud Bote 2017), available af: ups: ww thew it orenz Pancheset Bidet “Mere Tho Mllion People Dovid «Fake Wasp Andold Ap -Morkerboard (Nov. 3, 2017), available ar: figs motherboard sice.comion_ssarticleovhak Takewhatsapy. sunroidanp-t-inillion-down loads * See, eg, louutilascu, “Banking Trojans and Shady Apps Galere in Google Play,” Bleeping Comparer (Sept. 2018), avaifable ar. hus" www lolezpinzcompater com/news'security hanking-trofans-and-shady-apps-ealacesin- _gooule-pla}; Danny Palmer, “Android Security: Passwerd-Stealing Malware Sneaks in Google Play Store in Bogus Apps.” ZDNet Gly | 1, 2018), available at: hups:-wsw.zanet.concasicle‘andruid-security-passwonk-stealing: teojansmulwre-sneaks-in-wooulesplay-store-in-bogus-apps'; Dell Cameron, “Flashlight Apps Snuck Malware Into Google's Play Store, Targeting Bank Accounts,” Gieniodo (Nov. 20, 2017), available af: ups: ‘gizmodo coor Mashlighteapps-snekeinalisiee-into-googesplay=st in Thomson, “Another Month, Another Malware Outbreak in Google's Play Store,” The Register (Sept. 15, 2017), avaitable at inupy. ungrtherezister cosh 2017-69 45 malware qutbreak goosles play. store! * Zach Epstein, “Android is Still Aa Unsecure Mess Compared to the iPhone Even When It's Not on Your Phone,” BGR une 19, 2018), available at: blips: "'20 806-19 andsoidevseip miner; David Nield, “Why Choosing Between Android and iO Still Matters.” Gizmodo (bre “16, 2018), avattable a: ips: ‘ezmodda.conn'whs-choosing-betvzen Kio ‘The Verge (May 24, bots-white-rearepoct apps — including overlaps in app content, source code, IP addresses, SDKs, and common traffic patterns. Despite being approached by researchers in June with evidence of part of this scheme, Google failed to dig deeper to reveal the fall scope of this fraudulent activity. While there is no evidence Google had direct knowledge, Google’s ad network and ad exchanges were also implicated in these schemes. At the very least, it seems that across a number of its products Google may have engaged in willful blindness, all while profiting from this fraudulent activity. Lencourage you to look closely at these reports, including the extent to which major ‘ecosystem stakeholders engage in willful blindness to fraudulent activity in the online ad market. Sincerely, rh K Muncy MARK R. WARNER United States Senator