IAS Uncovered a Malicious VPN App with Over 1m Downloads that Hijack Residential IPs for Ad Fraud

by ExchangeWire PressBox on 15th May 2023 in News

The IAS Threat Lab recently uncovered an elaborate fraud scheme in a virtual private network (VPN) app targeting Android phones called Oko VPN. Developed by VIP Internet Security LTD., the app was labelled a free VPN service that anonymised a user's web traffic and was made available in the Google Play Store in July 2022.

In reality, Oko VPN was hijacking IP addresses, turning users' phones into fraud-relaying devices. Any Android phone that installed the app unwittingly donated its IP address for use by Oko VPN to commit ad fraud. The fraudsters exploited the user's IP address to mask the origin of traffic to send fake ad impressions to video streaming platforms. This IP hijacking scheme is referred to as “residential proxying.”

This app also posed a risk for illicit material/traffic going through users’ home networks, making it possible to make further attacks on users’ home networks – which emphasised the need to remove the app from the Google Play Store immediately.

Upon detecting the malicious app in March 2023, the IAS Threat Lab contacted the Google Play Store team, who conducted their own investigation and confirmed the Threat Lab’s findings. After the Threat Lab identified the scheme, IAS notified Google, which immediately removed the app and enforced Google Play Protect, which warns users and prompts them to uninstall the malicious app.

Oko VPN experienced exponential growth, with more than a million users at the time of its takedown. The Threat Lab team estimates that Oko VPN was generating approximately 100 million fraudulent impressions per month at the time of its removal from the Google Play Store. The team estimates that US$10m (£8m) in advertiser spend was wasted on this scheme.

Fraud schemes like this are unfortunately quite common – and advertisers need to be aware. The IAS Threat Lab is constantly working to identify new and novel fraud schemes, protecting advertisers, publishers, and consumers from digital ad fraud.

IAS established the Threat Lab to provide targeted reconnaissance of new and emerging fraud schemes. The team employs data analysis and reverse engineering to uncover fraud schemes and determine how they work, which allows the team to protect advertisers, publishers, and consumers by working with partners and authorities to take down the fraudsters.

For details on how the scheme worked, see Technical Disclosure here.