A company that claims to combat app piracy is a pirate itself, according to a report Oracle released on Wednesday. Oracle claims the company, Tapcore, has been perpetrating a massive ad fraud on Android devices by infecting apps with software that ring up fake ad impressions and drain people's data.
Based in The Netherlands, Tapcore works with developers to identify when apps are pirated and then enables developers to make money from those bootleg copies by serving ads. Oracle says that Tapcore's anti-piracy code was a Trojan horse that was generating fake mobile websites to trick ad serving platforms into paying them for non-existent ad inventory.
"The code is delivering a steady stream of invisible video ads and spoofing domains," Dan Fichter, VP of software development at Oracle Data Cloud, tells Ad Age. "On all those impressions it looked like the advertiser was running ads on legitimate mobile websites. Not only were they not on a website, they were on an invisible web browser."
On its website, Tapcore says it works with more than 3,000 apps, serving 150 million ad impressions a day. The apps whose pirated versions it has worked with include titles like "Perfect 365," "Draw Clash of Clans," "Vertex" and "Solitaire: Season 4," according to Oracle's report.
Tapcore's scheme works like this, according to Oracle: The app developer signs up with Tapcore and is given code to put in its software. After the app is downloaded by a consumer, hours, even days later, the code updates with new functions—what's known as side-loading—that turn a device into a fake ad generator. The app is secretly used to make requests for digital ads by generating what look like mobile websites in a mobile web browser that don't exist.
Oracle says the fraud, which it has named DrainerBot, was uncovered through the joint efforts of its technology teams from its Moat and Dyn acquisitions.
There are three victims here, according to Fichter: the advertiser who buys the ad no one sees; the publisher who has its domain "spoofed" to appear like an ad ran on its webpage when it didn't; and the consumer. An infected app can leak 10 gigabytes of data in a month. A gigabyte of data can cost $15 a month at major telecom providers.
Oracle would not put a monetary figure on how much money could have been generated by the alleged scheme.
A Tapcore spokeswoman said the company is disputing that it's the cause of the fraud and that it reached out to Oracle for more information.
"We are very concerned about Oracle's statement," the spokeswoman said in an email. "At the moment we are trying to find out the details and investigate the causes and circumstances that led to Tapcore being involved in this situation. We have always been on the frontlines in the fight against mobile ad fraud and vow to fully investigate the claims and ensure the facts are brought to light.
"We hope Oracle will make appropriate changes to their statement once we can prove we are not the reason for the fraud activity they're referring to," the email said.
Oracle is working with the industry organization Trustworthy Accountability Group, which is notifying advertisers of the potential that they bought ads from the alleged invalid traffic.
Google says that it worked with Oracle and Moat to eliminate any bad apps from its store, but it also said that its normal security procedures were working to thwart the infected apps.
"The vast majority of reported apps had either been previously removed through our regular enforcement procedures or were not available on Play, and we have taken steps to blacklist the impacted apps to protect our advertisers," a Google spokeswoman said in an email statement.
Tapcore, for its part, claims to be expanding its business: On its website, it says its services are coming to Apple apps in the coming months.
Scammers siphon nearly $20 billion a year from the industry by some estimates, according to eMarketer.