Hundreds of fake apps and millions of downloads contribute to billions in ad fraud – welcome to the brave new world of ghost click farms.
In September, security researchers discovered SlopAds, a malicious app operation that turned 38 million Android devices into invisible fraud nodes.
CEO and founder of Fraud Blocker.
Unlike traditional click farms, where rows of smartphones mimic customers, ghost click farms leverage personal devices to carry out fraud invisibly and remotely, unlocking new scale and obscuring detection.
To make matters worse, AI tools allow ad fraud actors to better automate attacks and do more with less.
This is a warning sign for companies. Global ad fraud consumes more than 20% of digital marketing spend and scams like this exacerbate a costly problem.
Let's delve into this phenomenon and how companies, armed with their own smart tools and enhanced defenses, can fight back.
New scale, scope and sophistication
SlopAds scammers operated more than 200 AI-themed apps (such as productivity tools and text-to-image creators) to capitalize on consumer interest and drive downloads.
These were cheap app interfaces designed to look legitimate on Google Play (much like mass-produced “AI crap”, hence the name), but technically worked as advertised.
However, a clever deception worked to compromise selected devices and cover up the scheme. Only users who discovered the app through a threat actor-driven ad campaign (rather than finding it organically) would trigger a background fraud payload.
These applications silently launched a malicious module and an invisible browser to load “takedown” sites filled with ads. By simulating human behaviors such as scrolling, clicking, and viewing, the malware generated billions of fraudulent ad impressions without users even realizing it.
The goal was money, pure and simple. Scammers directed ghost click farms to games and news websites they controlled, with each false impression resulting in micropayments totaling millions of dollars.
Unfortunately, this is big business on the Internet, and ad fraud surpasses credit card fraud as one of the most lucrative digital crimes in the world. Bad actors in this space enjoy higher margins and lower risks, while legitimate companies and advertisers foot the bill.
AI further complicates ad fraud
Perhaps in a sign of things to come, AI played a critical role in the pull and attack mechanism of this network. Scammers not only attracted downloads with AI ads, but also used automation and imitation to bypass the platform's filters.
The widespread availability of generative tools and their application in fraud threatens marketing metrics, trust, and results across the board.
Bots like this distort click-through rates, kill conversions, and poison performance data. Likewise, advertising platforms use auction systems to determine costs, so fraudulent “demand” artificially inflates prices.
Taking this a step further, it's easy to imagine this technology being weaponized in targeted attacks: a competitor could deploy ghost click farms through fraud-as-a-service to damage campaigns during critical periods.
With ad fraud expected to reach more than $170 billion by 2028, many marketers want to fight fire with fire. As a result, companies are increasingly incorporating AI to identify anomalous patterns that human analysts and traditional rules-based systems miss.
This is a game of cat and mouse in which scammers currently have an advantage that they didn't have a year ago. We are fighting bad actors in a productivity boom; Therefore, we too must adopt smarter tools and better methods to protect advertising impact in the future.
How companies fight fake clicks
This is something businesses of all sizes need to consider now. Ad fraud wastes one in every five marketing dollars, and better technology in this space threatens even worse returns.
Start by auditing campaigns to detect exposure patterns. This includes sudden spikes in traffic from specific geographies, unusually high click-through rates with low conversions, and repetitive IP addresses.
Additionally, since Google only detects 10% of invalid clicks, operate under the assumption that the fraud protection provided by the platform is not sufficient. Third-party partners can help incorporate smarter detection tools to detect bot-like click patterns and device fingerprinting inconsistencies as they occur.
This is important because time is critical. SlopAds grew for months and siphoned off millions before being discovered, making real-time detection non-negotiable.
Improved collaboration between marketing and network security teams is a good way to track unusual browser activity, unexpected API calls to attribution platforms, and suspicious command and control server communication patterns.
Treating ad fraud as a cybersecurity issue, and not just a marketing issue, introduces much-needed internal expertise and attention to the problem.
AI emboldens and equips cybercriminals to achieve new levels of ad fraud. In fact, the ghost click farm scheme was so successful that researchers believe threat actors will likely adapt it again to target the digital advertising ecosystem.
This brave new world demands brave new defenses, and it is up to businesses to move at the same pace.
The best email marketing service.
This article was produced as part of TechRadarPro's Expert Insights channel, where we feature the best and brightest minds in today's tech industry. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing, find out more here:
