This Giant Ad Fraud Scheme Drained Users' Batteries And Data By Running Hidden Video Ads In Android Apps

A scheme to stealthily run video ads behind banner images drained users' batteries and data while they used popular Android apps.

Julien is an independent developer who built and maintains one of the most popular audio apps in the Google Play store. With millions of downloads and hundreds of thousands of positive reviews, he’s obsessive about responding to user complaints and concerns.

He often receives emails from users complaining that his app is draining their battery and using more data than expected. Usually, it’s because they set the app to download files when they’re not on Wi-Fi. But sometimes it’s due to ad fraudsters taking advantage of his app to run hidden, data-hungry video ads behind the legitimate banners he sells to earn his living.

Julien's app is one of several, including many using Twitter's MoPub ad platform, that saw its in-app ads hijacked in an ad fraud scheme uncovered by fraud detection firm Protected Media. The company’s findings, along with additional reporting and interviews by BuzzFeed News, and independent verification from an outside ad fraud lab, show that one of the players implicated in this scheme is Aniview, an Israeli company with offices in New York that runs a video ad technology platform.

Aniview denies any involvement and instead says the platform and banner ads and code, which were created by one of its subsidiaries, were exploited by a malicious, unnamed third party.

“BuzzFeed brought to our attention that there is an abuse activity, as an immediate action, we stopped this activity and started and continue an internal incident review,” said Aniview CEO Alon Carmel in an emailed statement. “We notified and emphasized our clients that the use of our platform must be according to our policy and the IAB and TAG guidelines.”

It’s just one of the many ways ad fraudsters siphon money out of the global digital advertising industry, which will see more than $20 billion stolen this year. This scheme in particular highlights once again how ad tech companies exploit insider access and technical knowledge to participate in ad fraud.

“I don’t even think about me being ripped off,” Julien told BuzzFeed News. “All I think about is them damaging the app’s reputation. It can cost money to [a user] and drain his battery. This is the thing that makes me really mad.” (BuzzFeed News agreed to withhold his full name and the name of his app due to concerns about people wrongly thinking it was knowingly part of the scheme.)

Here’s how the scheme works. Julien sells a banner ad, which appears in the app and is visible to his users. Then, hidden from view behind that banner, fraudsters conceal autoplaying video ads that no human being actually sees, but which register as having been served and viewed. In this scenario, Julien gets paid for the small banner ad in his app that users see, but the fraudsters earn many times that amount by stuffing far more lucrative video ads behind the banner. Ultimately, it’s the brands whose ads were shown in hidden video players that lose money to those running the scheme.

“Fraudsters are purchasing cheap in-app display inventory and are filling it with multiple video players behind innocuous fake branded display ads,” said Asaf Greiner, the CEO of Protected Media.

This type of ad fraud is known in the industry as in-banner video ads, and has been documented in the past. Greiner’s team identified a new version of it last fall and said in total they’ve seen tens of millions of dollars' worth of fraudulent video ads running per month as a result.

The ad fraud lab run by DoubleVerify, a digital measurement company, identified the same in-banner video ad fraud scheme at the end of last year, according to Roy Rosenfeld, the company’s VP of product management.

He told BuzzFeed News the fraudsters “did a very good job at hiding and obfuscating what they were doing” and were “quite sophisticated in the thinking behind how they can monetize that [video] inventory.”

DoubleVerify saw at least 60 million ad calls being made for fraudulent video ads per month, though Rosenfeld noted that not all of those ad slots were filled.

Aniview and its subsidiary, OutStream Media, were identified by Protected Media as being part of the scheme after the fraud detection firm gathered and analyzed video evidence, code, and other information during an investigation.

Rosenfeld said DoubleVerify’s investigation identified that “the Aniview player was heavily driving” the fraudulent video ad activity. He said his team identified the same code and other materials as Protected Media had.

View this video on YouTube

Protected Media / YouTube / Via youtube.com

Carmel, of Aniview, told BuzzFeed News that his company “does not knowingly engage in any fraudulent activity” and said his team has been trying to stop this activity on their platform since they were first contact by Protected Media last month. He acknowledged that OutStream Media, the company identified by Protected Media, is a subsidiary of Aniview. But he said it had ceased operations last summer and that Aniview is in the process of legally shutting it down. He said the ad fraud documented by Protected Media and DoubleVerify was done by bad actors using the Aniview video ad platform, as well as images and code created by OutStream Media, in an unauthorized way.

“To be crystal clear, another customer on Aniview’s [self-serve] platform used this [video ad] player and is responsible for this activity and we took actions immediately to stop this activity,” he said.

“We are fighting against bad activities, pushing and focus on clean and legit activities and should not be blamed or framed for bad use of our platform."

Got a tip about ad fraud? You can email tips@buzzfeed.com. To learn how to reach us securely, go to tips.buzzfeed.com.

Carmel could not say who this bad actor was or how they managed to gain access to content that was uploaded to an OutStream Media account on Aniview’s platform. He declined to identify the malicious actors, or to share any details about them. He also acknowledged removing the photos and names of people, including his cofounder, Tal Melenboim, from Aniview’s website after being contacted by BuzzFeed News.

Two of the removed employees had leadership roles with OutStream Media in addition to their work at Aniview. Carmel, who previously cofounded the popular Jewish dating site Jdate, said they left the company to pursue other interests at the end of last year, and he neglected to remove them from the Aniview team page.

Carmel was provided with a copy of the malicious code used to place the banner ads and hidden video players. In addition to using the Aniview platform and banner ads from OutStream Media’s account on it, this code included the URL shoval.tv as a tracking pixel to gather data on ad performance. Shoval.tv is a domain name owned by Aniview cofounder Tal Melenboim. In an email to BuzzFeed News, Melenboim denied any involvement.

Carmel said the fraudsters must have copied the part of the code that included Shoval.tv from an earlier OutStream demo, and said Shoval.tv is commonly used as a tracking URL by Aniview. The inclusion of this code means that only a person with access to shoval.tv would be able to track the performance of the fraudulent ads carrying this pixel.

Protected Media also found that a significant portion of the banner ads purchased for this scheme were bought using MoPub, the mobile ad network owned by Twitter. This does not mean MoPub was engaged in the scheme. But it does mean Twitter’s ad platform was exploited for months by fraudsters, and it earned commission on the ads bought using its tools. (Julien uses MoPub to help place ads in his app and says the company is responsive when he reports bad ads.)

“At this time, we can confirm that the suspicious activity in question is not being initiated by MoPub,” a company spokesperson told BuzzFeed News. “The activity observed by Protected Media stems from an ad that is initiating other non-viewable video ads to run in the background. We are currently investigating what the potential sources of the issue could be.”

This scheme illustrates one of the central challenges in reducing the massive, multibillion-dollar fraud problem in digital advertising: Nearly every player in the supply chain, except for the brands who spend money on ads, profits from fraudulent ad delivery. Even if they’re not involved in ad fraud, platforms such as ad networks and other intermediaries earn a share of the money spent on invalid ads. This creates a disincentive to stop fraud from taking place, according to Greiner.

“It’s an unfair kind of situation because anybody who behaves well and doesn’t allow this on their platform is being left out of the profit,” he said, adding that “there’s very little penalty and there’s a lot to gain — the numbers are just enormous.”

Investigating the scheme

Protected Media first detected the use of hidden video ads in October. Though not a new ad fraud technique, the company saw this iteration grow large enough that it warranted a closer look. After seeing which video players were being used to run the hidden ads, and which ad networks the fraudsters were buying the display ad from, Protected Media reached out to the relevant parties, including Aniview, last month. (Rosenfeld of DoubleVerify said it also identified the scheme late last year and began blocking it.)

Protected Media provided BuzzFeed News with video documentation of invalid video ads running behind banners that were created by OutStream Media, Aniview’s subsidiary. These video ads were served using Aniview’s platform and the banner ads were hosted on Aniview’s website with an account in OutStream Media’s name. This demonstrates a direct link between OutStream Media and the banners that were placed in apps such as Julien’s.

Protected Media also identified that the shoval.tv domain name owned by Aniview cofounder Tal Melenboim was used to track the performance of the fraudulent ads, adding yet another link to Aniview.

Given that information, Greiner believes “Aniview is the group who left no room for deniability — the others can claim ignorance.”

After BuzzFeed News first contacted Aniview, the company removed the LinkedIn page for OutStream Media, and deleted people from the Aniview team page on its website. Two of the removed people were Melenboim, who had previously listed himself as the founder and CEO of OutStream Media on his LinkedIn, and his wife Mazal Melenboim, whose LinkedIn lists her as the head of media operations for Aniview and the head of operations for OutStream Media.

Carmel said the couple left Aniview at the end of last year and praised Tal Melenboim as a “reputable professional” who was “an asset to Aniview during his many years of employment.”

Tal Melenboim told BuzzFeed News in an email that he and his wife are not involved in any illegal activity. “It is important for me to point out to you, that if you got the impression that Aniview/Outstream Media or someone from our team, including me or my wife, is involved in an act of not legit activity, it is simply far away from the true.” (Melenboim said that Carmel’s English is better than his, and that as a result specific questions should be directed to him.)

Carmel said the Melenboims were removed from the company website at his direction after being contacted by BuzzFeed News, and said it was an oversight that they were still on the site. He offered to provide a letter from the company’s legal counsel to testify to the fact that the Melenboims had not worked at Aniview since the end of last year. He also said other employees were removed from the company’s team page at the same time.

After BuzzFeed News emailed Carmel two links that showed the scheme was still active on his platform, the activity was quickly shut off. He said that was a result of his company being given the information necessary to shut it down.

One of the links BuzzFeed News provided to Carmel went to a page at play.aniview.com/outstreammedia/ that hosted the banner ads used in the scheme. These banners were generic images for companies and products such as Coca-Cola, M&M's, McDonald’s, and Disney. If a user clicked on them they were taken to the homepage of the Google Play Store, showing that they were not real ads.

Carmel said these images belonged to OutStream Media and were created as test images when the company was operational last year. He said someone used these images without permission to execute the fraud.

“The banners were ONLY used for reach media demos of outstream units,” he said in an email. “After seeing in your email that someone used our banner without our permission we removed it from our server. Thank you for pointing it out.”

Ultimately what Carmel claims is that an unknown bad actor created an account on his platform, and then used banner ad images created by his subsidiary to execute the fraud scheme. He declined to share information about the bad actor’s account, citing legal concerns. He also couldn’t say exactly how this actor knew about banner ads uploaded to the account of OutStream Media — a company Carmel says was only briefly operational last year. He suggested one of the organizations OutStream had previously tried to pitch its services to was involved.

“The demo page of Outstream units was public and as well have been sent to many potential customers (BTW, one of them was Buzzfeed),” he said in an email. Carmel did not provide contact information for the person at BuzzFeed he says received the OutStream pitch. He did provide screenshots of email templates that were sent to prospective clients in May of last year that included a link to a demo.

Carmel says the same bad actor must have copied the OutStream tracking code that included shoval.tv, the domain owned by Melenboim. This means the fraudsters were sophisticated enough to set up and manage the scheme, but would have left in a tracking pixel that prevents them from receiving performance data on their ads.

Greiner of Protected Media said several ad tech companies engaged in or facilitated this form of fraud. Aniview was the one they gathered the most convincing evidence about. Others continue to run the scheme after being contacted by Protected Media, and in at least one case an executive from an involved company even complained about being called out.

“One of them spoke to my VP of sales and said everybody does it, why are we picking on them,” Greiner said. “It’s something we hear too often, unfortunately.” ●

Skip to footer