Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Mobile & Wireless

DrainerBot SKD Sucks Data and Battery From Android Devices

A major mobile ad fraud operation impacts millions of users through infected consumer applications, Oracle reveals. 

A major mobile ad fraud operation impacts millions of users through infected consumer applications, Oracle reveals. 

Dubbed DrainerBot, the nefarious operation relies on hidden and unseen video ads that are delivered to users to incur data overage charges. With over 10 gigabytes of data consumed per device each month, the cost likely rises to over $100 per year per device.

The DrainerBot code is being distributed through an infected Software Development Kit (SDK) that has been integrated into hundreds of popular consumer Android apps and games, including Perfect365, VertexClub, Draw Clash of Clans, Touch ‘n’ Beat – Cinema, and Solitaire: 4 Seasons (Full). The infected applications appear to have gathered over 10 million downloads to date. 

Once an infected application is installed, it can download fraudulent, invisible video ads to the device. The infected applications, Oracle reveals, report back to the ad network that the video advertisements come from a legitimate publisher site, but all sites are spoofed.

The fraudulent video ads are never displayed on screen and the user never sees them, but the apps consume both bandwidth and battery. According to Oracle, an infected app can consume over 10GB of data per month even if it is not in use or in sleep mode.

The infected SDK has been distributed by Tapcore, a company in the Netherlands that claims to help software developers monetize stolen or pirated installs of their apps (however, the fraudulent ad activity takes place on valid app installs as well). The company says its SDK is used in more than 3,000 apps and that it is serving over 150 million ad requests daily.

“DrainerBot is one of the first major ad fraud operations to cause clear and direct financial harm to consumers. DrainerBot-infected apps can cost users hundreds of dollars in unnecessary data charges while wasting their batteries and slowing their devices,” Eric Roza, SVP and GM of Oracle Data Cloud, said.

Advertisement. Scroll to continue reading.

Users who downloaded the infected applications should notice that their devices get hot and that battery life drains quickly even when the phone is not in active use. A dramatic increase in data usage, sluggish performance and high application crash rates are also indicators of infection. 

Related: Android Apps Carrying Windows Malware Yanked From Google Play

Related: Google Scours the Internet for Dirty Android Apps

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

The February 2023 security updates for Android patch 40 vulnerabilities, including multiple high-severity escalation of privilege bugs.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.