Security researchers at Human Security (formerly White Ops) have discovered a massive botnet of Android devices being used to conduct fraud in the connected TV advertising ecosystem.
The sophisticated mobile botnet, dubbed Pareto, is made up on nearly a million infected mobile Android devices pretending to be millions of people watching ads on smart TVs and other devices.
Human Security said the botnet used dozens of mobile apps to impersonate or spoof more than 6,000 CTV apps, accounting for an average of 650 million ad requests every day.
The bot mitigation startup, said its Satori Threat Intelligence and Research Team first discovered the mobile botnet in 2020 and has been working to mitigate the threat while partnering with Google, Roku and others to disrupt the ad-fraud operation.
The Pareto botnet worked by spoofing signals within malicious Android mobile apps to impersonate consumer TV streaming products running Fire OS, tvOS, Roku OS, and other prominent CTV platforms.
Human Security researchers found that the botnet took advantage of digital shifts that were accelerated by the pandemic, hiding in the noise in order to trick advertisers and technology platforms into believing ads were being shown on CTVs. “This particular approach is lucrative for fraudsters, as pricing for ads on connected TVs is often substantially higher than pricing on mobile devices or on the web,” the company said.
The company said the Pareto operators have been “incredibly sophisticated and evasive over the last year,” changing spoofing cycles to come up with new disguises for fake traffic.
Human Security said its researchers also found a distinct-but-connected operation on Roku. “We found a collection of 36 apps on Roku’s Channel Store that received instructions from the same server that was operating nodes in the Pareto botnet.”
“That server, called a command-and-control (C2) server, sends instructions out to all of the phones that have been infected, and those phones then carry out the activity. These Roku apps, in a similar fashion to the Android-based Pareto apps, were spoofing other smart TV and consumer streaming products,” according to a technical report on the botnet.

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.
More from Ryan Naraine
- Microsoft Catches Chinese .Gov Hackers Targeting US Critical Infrastructure
- Researchers Spot APTs Targeting Small Business MSPs
- Mikrotik Belatedly Patches RouterOS Flaw Exploited at Pwn2Own
- Red Hat Pushes New Tools to Secure Software Supply Chain
- Investors Make $6M Bet on Manifest for SBOM Management Technology
- Entro Raises $6M to Tackle Secrets Sprawl
- IBM Snaps up DSPM Startup Polar Security
- Huntress Closes $60M Series C for MDR Expansion
Latest News
- Industrial Giant ABB Confirms Ransomware Attack, Data Theft
- Organizations Worldwide Targeted in Rapidly Evolving Buhti Ransomware Operation
- Google Cloud Users Can Now Automate TLS Certificate Lifecycle
- Zyxel Firewalls Hacked by Mirai Botnet
- Watch Now: Threat Detection and Incident Response Virtual Summit
- NCC Group Releases Open Source Tools for Developers, Pentesters
- Memcyco Raises $10 Million in Seed Funding to Prevent Website Impersonation
- New Russia-Linked CosmicEnergy ICS Malware Could Disrupt Electric Grids
