Site navigation

Experts Disrupt Advertising Botnet with One Million Infected Devices

Michael Behr



PARETO created inflated advertising engagement, helping to fund malicious app developers.

A major botnet that created fake advertising engagement across the Connected TV (CTV) advertising ecosystem has been disrupted by cybersecurity experts.

The PARETO fraud operation was built up of nearly one million infected Android mobile devices. The infected devices would appear to be smart TVs and would impersonate over 6,000 CTV apps. These included popular services, such as Fire OS, tvOS, and Roku OS.

This tricked advertisers and technology platforms into believing ads were being shown on CTVs, with an average of 650 million ad requests every day.

The scam was lucrative for fraudsters, as pricing for ads on connected TVs is often substantially higher than pricing on mobile devices or on the web. Advertisers would then pay out additional money based on the artificially inflated viewership, increasing funds provided to malicious developers.

Around 29 Android apps were used to spread the app, with most being marketed on Google’s official Play store. The fraudulent apps included simple torch program Any Light, and game Sling Puck 3D Challenge.

The botnet was discovered and subsequently disrupted by cybersecurity company HUMAN (formerly White Ops). The group’s Satori Threat Intelligence and Research Team discovered PARETO in 2020, and worked to limit the effect of the botnet.

“What’s especially striking about this operation is its scale and sophistication,” said HUMAN Chief Scientist Michael McNally.

“The actors behind PARETO have a fundamental understanding of numerous aspects of advertising technology, and used that to their advantage in how they hid their work within the CTV ecosystem. Their efforts included low-level network protocol spoofing, which is especially hard to detect, but which our team at HUMAN spotted.”


The company warned that PARETO was incredibly sophisticated and evasive over the last year. After a year of threat identification and resolution, HUMAN and its partners — including Omnicom Media Group, The Trade Desk, Magnite, Google, and Roku — disrupted the botnet’s operations.

“CTV provides massive opportunities for streaming services and brands to engage with consumers through compelling content and advertising,” said HUMAN CEO and Co-Founder Tamer Hassan.

“Because of this opportunity, it is incredibly important for the CTV ecosystem and brands to work together through a collectively protected advertising supply chain to ensure fraud is recognized, addressed and eliminated as quickly as possible.”

In addition, Product Manager, Ad Traffic Quality at Google Per Bjorke added: “We appreciate the work of the research community, and value our collaboration with HUMAN.  Responsible disclosure and collaboration benefits the entire ecosystem, and we look forward to working with them on additional research in the future.”

Michael Behr

Senior Staff Writer

Latest News

Data Protection Editor's Picks
Digital Transformation Events
Cybersecurity Editor's Picks
%d bloggers like this: