Malware main culprit for mobile ad fraud and airtime theft in South Africa


According to full year 2019 data by mobile security expert, Secure-D nearly 1.7 million mobile subscribers are infected with mobile malware in South Africa alone. The copany states that malware is the main culprit responsible for airtime theft and mobile ad fraud evident in the country. With around 18,000 instances found on South African users’ devices, users are urged to be vigilant and take measures.

How malware highjacks mobile devices

Mobile malware can either be downloaded on the device by the user via an app or come pre-installed. Once activated on the device, mobile malware becomes part of a “botnet” (short for robot network) of infected devices. These botnets, networks of malware-infused devices, are being remote-controlled at scale by a “bot-herder”.

In the case of mobile ad fraud, the malicious application visits websites, clicks on banner ads and simulates a real person going through a
subscription or other Direct Carrier Billing purchase processes. It even overrides a two-step authentication process all the while remaining undetected by the user. The fraudsters’ goal is to claim pay-outs from advertisers for bogus traffic.

The result is unsolicited airtime charges with users being able to detect the early signs of a malware infection when they see their mobile data plan being rapidly depleted with no apparent reason.

What is especially tricky about mobile malware is that it continues to operate without raising the suspicions of the user of the device. Tricks include making sure the app functions well even when malware runs in the background or ensuring that excessive battery drain doesn’t occur. Some apps change their name after they have been downloaded or remain totally out of sight i.e. they cannot be found at the homepage of a device with an app icon.

The issue in South Africa

In 2019 Secure-D detected a total of 1.69 million malware-infected devices in South Africa, spanning 18,000 different applications. Secure-D maintains a public global malware list where the top malware threats in each market is being reported.

Out of the thousands of different malware apps active in the country the top 25 most active in the period of June to August 2020 that are available through Google’s Play Store are listed in the image below:

The three worst offending apps in the country for the June to August 2020 period are:

  • Shareit – Sharing app with cross-platform transfer speed and free online feeds including movies, videos, music, wallpapers, GIFs.
  • Vivavideo – An app for editing photos and videos. It has been downloaded more than 100 million times worldwide, and Secure-D has blocked more than half a million fraudulent transactions originating from the app in South Africa alone.
  • StatusSaver – An app that shows users’ statuses from four different apps and environments.

Secure-D has been deployed in South Africa since late 2018 with the largest mobile network operators in the country covering 70 million mobile subscribers. According to Secure-D data for 2019 86% of the mobile transactions processed were fraudulent. During the full year 2019-end of August 2020 period Secure-D has processed more than 73 million mobile transactions, identifying and blocking a staggering 24K malicious apps that had infected over 2 million mobile devices.

What users can do

To avoid falling victim to unwanted purchases or lose pre-paid credit, Android users in particular should check their phones to see if they have any of the apps flagged as suspicious installed.  If so, they should uninstall them immediately and review any new mobile airtime charges for possible fraud.

Users wishing to protect themselves are advised that third-party app stores often apply less scrutiny for adverse code and odd behavior in listed applications, but even apps from official sources like Google Play can be compromised.

Before any installation, users should check the app’s reviews, developer details, and list of requested permissions, making sure that they all relate to the app’s stated purpose.

Head of Secure-D, Geoffrey Cleaves, commented: “Malware can be responsible for creating millions of dollars of fraudulent revenue. It impacts consumers’ pockets and mobile service experience by eating up their data, incurring unwanted charges, and affecting the performance of their phones. The mobile advertising fraud market is worth more than $40bn annually. Dressing up to appear as legitimate and often popular applications, undetected malware damages the industry’s reputation, leaving mobile operators and their customers exposed, picking up the tab.”

Secure-D has assisted 31 mobile operators across 20 countries, covering nearly 700 million mobile users. In 2019, the platform blocked $2.1 billion worth of fraudulent transactions, improving the end-user experience and building customer loyalty on behalf of operators around the world.  The platform’s clearing process ensures no customer is charged until the validity of each transaction can be verified. Upon the platform’s deployment user complains drop significantly, with the new measures saving customers tens of millions of dollars.

Recently Secure-D found pre-installed malware on a number of handsets manufactured by leading Chinese phone manufacturer, Transsion. The model in question was the Tecno W20, a low-cost handset typically sold in South Africa and Asia. The investigation has received widespread coverage, with the issue affecting South Africa among other countries such as Egypt, Ethiopia, Cameroon, and Ghana.