Cybersecurity company HUMAN launches new initiative catered to defrauding CTV systems


Singapore – HUMAN, a cybersecurity company and formerly White Ops, has launched a new program that aims to defraud connected television (CTV) systems, in partnership with the newly-launched initiative ‘The Human Collective’ composed of Omnicom Media Group, The Trade Desk, and Magnite, as well as support from Google and Roku.

The launch of the program was in response to the spread of PARETO, a botnet that, according to nearly a million infected mobile Android devices, is pretending to be millions of people watching ads on smart TVs and other devices. The botnet used dozens of mobile apps to impersonate or spoof more than 6,000 CTV apps, accounting for an average of 650 million ad requests every day.

PARETO worked by spoofing signals within malicious Android mobile apps to impersonate consumer TV streaming products running Fire OS, tvOS, Roku OS, and other prominent CTV platforms. The botnet took advantage of digital shifts that were accelerated by the pandemic, hiding in the noise in order to trick advertisers and technology platforms into believing ads were being shown on CTVs. 

HUMAN’s research arm Satori Threat Intelligence and Research Team found the PARETO operation in 2020 and has been working with the HUMAN team to prevent its impacts on clients ever since. The operation is named for The Pareto Principle, an economics concept that dictates that 80% of the impact in any given situation is carried out by only 20% of the actors.

“CTV provides massive opportunities for streaming services and brands to engage with consumers through compelling content and advertising. Because of this opportunity, it is incredibly important for the CTV ecosystem and brands to work together through a collectively protected advertising supply chain to ensure fraud is recognized, addressed, and eliminated as quickly as possible,” said Tamer Hassan, CEO and co-founder at HUMAN.

HUMAN also observed a far smaller but connected effort attempting to spoof consumer streaming platforms. The operation detected a single developer on Roku’s Channel Store with apps connected to PARETO. The apps linked to the developer, impacting less than one half of one percent of Roku’s active devices globally, were designed to communicate with the server that operates the PARETO botnet. The primary operation was associated with 29 Android apps and the secondary operation was associated with one Roku developer delivering the malware to infected devices.

“What’s especially striking about this operation is its scale and sophistication. The actors behind PARETO have a fundamental understanding of numerous aspects of advertising technology, and used that to their advantage in how they hid their work within the CTV ecosystem. Their efforts included low-level network protocol spoofing, which is especially hard to detect, but which our team at HUMAN spotted,” said Michael McNally, chief scientist at HUMAN.

The Satori Threat Intelligence and Research Team used numerous tools to identify the sources of the botnet, whose information has been shared with law enforcement.

Share this story