MightySignal menu
DrainerBot Mobile Ad-Fraud Operation

DrainerBot Mobile Ad-Fraud Operation

What is the DrainerBot mobile ad-fraud operation?

Oracle has discovered a new pattern in bot activity. The DrainerBot is a data and power vampire that slowly depletes your devices of battery life, while also exploiting their data. 

While this might sound only moderately to extremely irritating, there is a severe amount of risk to be factored here. 

What is a drainer bot?

A sneaky piece of ad software, for starters. Drainer bots are present behind the scenes in several of your favorite Android apps, SDKs, APIs, and games. They received their name from their disheartening capacity to drain your smartphone battery life. 

This may seem benign at first because the activity is almost undetectable. These bots will drain gigabytes from videos.  It does this by placing smart ads in your display window but making them invisible so you don't know they are there and can't prevent them from sponging data. This ramps up a massive bill on some Android users mobile data bill. 

Oracle is calling this massive bot fraud the “Drainer Bot” campaign.  Oracle launched an investigation in February when the threat was first noted. The investigation was still making headlines in March but became vaguer as we headed toward the Spring season.

At the outset, they have identified a few of the apps, games, etc. that had a drainer bot presence detected. They are as follows: 

  • Perfect Clash 365
  • Vertex Club
  • Draw Clash of Clans
  • Touch n’ Beat-Cinema
  • Solitaire: 4 Seasons

MightySignal Mobile App Intelligence

It is unclear whether these apps have been stripped of potential threats. Here's what we do know:

  • As of April, Google's software integrity measures are becoming stricter. This means that if an app is still available in the Play Store, it missed the mass deletion and ban that was reported. 
  • Google booted DO Global -a major Android developer out of the store for malicious apps, which is a sign of a far less lenient environment for fraud actors. Google also deleted 40 apps that DO Global had in the store. 
  • The DO Global malicious activity was directly associated with adware, which is the category that Drainer Bots fall under. 
  • If an app, including the list above, is still available, then it has been mostly deemed clean by Google. User discretion is still advised.

For creative software professionals, the risks may be even more prolonged and severe. Investigations uncovered data that implied a possibility for hundreds of apps and SDKs to be affected. The drainer bots were found when the code of the named apps was unpacked. That means that a variety of APIs and other software building tools may also have these bots maliciously engrained. 

The first SDK company to be infected by drainer bots is believed to be Tapcore ads. The company itself has released a statement to liberate themselves from accountability for the potential consumer risks caused by this breach in their systems. Loosely quoted it expressed "extreme surprise" that Oracle had made such findings and "vehemently denied" any intentional involvement. You can see a different perspective of Tapcore's release at Washington Post. We advise continuing discretion if trading with Tapcore. We would also encourage you to be aware of potential bias in their release statement, and instead, watch employee or consumer reviews of their conduct. Since the release of this news, we've tracked a number of apps that have removed the Tapcore SDK from their tech stack like Tramp Simulator: Survival City

 Tramp Simulator:Survival City tech stack

We at Mighty Signal conducted a more in-depth investigation below. Each Android publisher should be aware of the full negative potential in Drainer Bot. Our more recent work has led us to sources stating this ad fraud stretches even into May. Google has allegedly deleted 100s of new apps for adware and ad fraud from the Play Store. The source that broke this story states that Google will now also boot the developers of the faulty apps from the Store. Android was believed by the popular vote to have been the one most affected in this incident. This may be traced back to iOS having a more sophisticated security screen at this time. 

The  invisible bot

One major player in the difficult detection of drainerbots is their invisible status. They overlay in videos as non-displaying ads and drain from the data used on the device. It works like this: 

  • The bot embeds and hidden and fraudulent ad into your mobile device's display
  • The infected app then communicates with ad networks that are linked to the scheme.
  • The infected app triggers a notification that the ad was viewed on the ad publisher's site.
  • This gets the ad publisher unethical and illegal kickbacks for their ad being viewed even though the video viewer never actually knew it was in their display.

You can read more about it here.

Defining gray area exploits causes and solutions 

What exactly is an exploit? We know that all software has the potential for vulnerabilities and that hackers can exploit these. An exploit itself is sort of like a castle siege. It is an organized strategy that uses web vulnerabilities to its advantage. 

The percentage of app marketplace actually affected

While it may be tempting to assume that all of the app market is filled with schemes, only a small portion of the marketplace is directly impacted. The Hill cites that around 4% of Android devices and software are allegedly infected, as of May 14, 2019. 

This having been said, one issue with the small percentage of the market that is impacted is its chance of snowball effect. The best way to keep your systems safe, then, is to learn all you can about cybersecurity from the users perspective. 

Nation-states and Drainer Bots: what you need to know

What has only begun as Ad Fraud could also contribute to the controversies of “Russiagate” and “Spygate” respectively? In the days following the release of the Mueller investigation, Twitter saw a surge in Russia-linked bot activity. A great deal of audience engagement that takes place on Twitter is via Twitter for Business ad campaigns. 

The Russian-linked activity on Twitter was detected primarily in political hashtags and ad campaigns. We can infer through this knowledge that nation-states are present in the advertising space of social media. 

If we can make this assumption, and we can also assume drainer bots are heavily present on these platforms, then we may see an overlap. Drainer Bot ad fraud can compound the nation-state activity in our networks because of political ad campaigns that could likely pass through ad fraud as we near the preliminary elections. 

Next year will be the official election year, and so nation-state and political ad activity will spike from 2020-2021 naturally. In the case of election years, data collection fuels propaganda sways voting opinions, and potentially endangers the public. Politically manipulative ad campaigns backed by user data were at the core of the Cambridge Analytica scandal. 

In the case of Drainerbots and adware, the election can be used to direct traffic to unsafe sites. This is because Drainerbots work by using the invisible ad it displays in your mobile device to report back to another site somewhere where the visible ad is published. This is called Sophisticated Invalid Traffic. 

 Your apps might communicate with the location of an ad, give the site kickbacks, and also open your IP up to more severe forms of malware from the sites it's now communicating with. This could lead to more nasty issues like ransomware, which is a malware that will lock down your device until you pay to have it reset, or other forms of financial identity risking situations. 

Keep intellectual property safe by securing your network

The most logical way to prevent entanglement with these nation-states actors is to ensure your network anytime you create something via the web. Cyberwire cites deep-learning as a source of threat detection your company can employ. You can learn more about it here.

Developer accountability for consumer safety 

If the Drainer Bot probe does not detect the full scope of the malicious SDK infection, then this can become a more pressing issue. Because advertisements on social media channels are directed to consumer-direct targeting, powered by personal user data. Usually, they need permission, but in our case, this is fraudulent ad work. This means that a legitimate app you as a developer are building with an SDK can be used to leach information from your users through bad SDKs or bad ads you run to monetize the financing departments of your software development business. 

Malware and drainer bots cross contamination

In January, Malwarebytes Labs conducted a research venture into the typical scenarios of malware and bot attacks. This research spanned consumer, business, regional, vertical, etc. qualifiers for malware activity. 

 If we observe, then we know that malware that uses data can harvest data from these drainers. This is why understanding the environment of drainer bot origins is completely necessary to prevent a further breakdown in your SDKs. 

 A trend carry-over from 2018 was detected in the report. Corrupted software is now on the level that it can fool trained-eye users and even, regrettably, the store admins themselves. This may be due in part to a 79% surge in business-targeting malware for the 2018 calendar year. 


Now that you know the long and the short of your potential Drainer threat, what to do about it? It may feel like War Games at times. With the right amount of user precautions, you can protect yourself online and in SDK workshops. The secret lies with increasing the security measures you use to protect your browser itself. This can mean adding new malware detection software. It also means scanning carefully for fake antivirus software. Some new browser systems, like Google Chrome, will block a site or an app download before you can even make the mistake of using it if the internal workings of the browser sense malicious links might be lost in the translation of the display. 

The MightySignal solution

Mighty Signal provides an intensive library of SDK lookups. With our savvy, developers can match hundreds of mobile market insights to their software solutions. You should always have the opportunity to build on the web without worrying about the vampires of data use.

The Mighty Signal solution can provide sources with app ranking changes and SDK install/uninstall history. This helps developers determine the overall appeal of an app and potentially bad experiences others have had within it. By eliminating bad apps from your shopping cart, you are likely to “detour” around bad web neighborhoods.  Contact us to start your free trial of the MightySignal platform today. 

Try MightySignal Today!

Please provide your email.

Newsletters make you smarter.

Please provide your email.

Contact MightySignal

Please provide your name.
Please provide your surname.
Please provide your email.

Trusted by

  • Zendesk
  • Mixpanel
  • Amplitude

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.