Exploiting Android Users for Fun and Profit
I’m going to tell you about some stuff I’ve done that I’m not particularly proud of. This happened during a period of my life when I was working for a company in the advertising industry. The company already had a pretty strong handle on the email and display advertising markets, but the team I was hired into was a newer group whose job was to break into the desktop advertising game.
It may not be immediately apparent to you what I mean by “desktop advertising,” but I can guarantee that you’ve run into it at some point before. Every time your Grandma calls you up on the weekend complaining that her computer is running slow, and you fire up her copy of Internet Explorer 7 to find that she’s got twenty different toolbars installed, you’ve encountered the kind of thing my team was working on. Every time you’ve tried to install some open source software through a Google link, didn’t pay attention to checkboxes in the installer, and ended up with half a dozen useless registry scanners, disk cleaners, and so-called “anti-malware” programs unintentionally installed on your computer, you may have me to thank for that.
By way of apology, if you ever meet me in real life, I’ll buy you a beer. Promise. Just please try to resist the urge to punch me. I am very sorry for my involvement in everything that you are about to read.
As morbidly interesting as the desktop side of things might be (I may expand on it in a future post), I’m going to tell you a little bit about what we eventually branched into after the desktop business had settled into a stable channel of revenue for the company. Namely, mobile advertising.
The advertising industry is largely driven by plagiarism—you look for a money-making model that’s working well for someone else, then copy it. If you get in early enough and “drive a truck through it,” as one of my managers used to say, you stand to make a lot of money before rising competition turns it into a race to the bottom and profits dry up. That’s how we approached advertising on mobile at first.
Our first product was an “app-a-day” app for iOS that offered users a free app every day (the implication being that the offered app would otherwise not be free). There was another app called AppGratis that was doing pretty well and we wanted some of that action.
Our app was a flop straight out of the gate. The development philosophy while I was there involved pumping out production-ready products within a day or two—if something was going to take longer than that to get into the wild then it wasn’t worth doing. This meant that most of what we did (including this first iOS effort) was a buggy mess. The idea was that we would throw this low-effort proof-of-concept at the wall and see where it stuck best, then quickly iterate and fine-tune it to maximize profits.
This one didn’t really stick at all. Probably due to the fact that all of our “offers” were games and apps that a) nobody wanted and b) were already free on the app store. We didn’t make any effort to provide actual value to users, and we didn’t provide any value to the publishers because nobody was using our app. The whole thing ended up being moot anyway, because shortly after we got into the App Store, Apple yanked AppGratis and basically banned all “app-a-day” style apps forever. Pay attention and you’ll soon discover that this is the start of a common pattern.
Our struggles with Apple’s iron fist and how long it took to get new changes into the App Store left a sour taste, so we decided to move on to Android. The big money on Android at the time came in the form of push-ads—these were the ads that would appear in your notification center, even when the app that generated them wasn’t running. A company called AirPush more or less had the market cornered on push-ads, so we set out to emulate them and carve out our own little corner.
Since my company already had a vast supply of ads through its email and display channels, it was pretty easy for me to churn out a quick proof-of-concept SDK for Android that would tap our existing ad feeds and push them into the user’s notification center. From there on it became a game of attracting developers to use our network, and optimizing the SDK and ads to maximize profits. It went okay, but developer acquisition was a problem we never really cracked—probably due to our unwillingness to actually put any effort or quality control into anything that we did (improving the quality or “feel” of a product didn’t directly lead to increased profits, so it was generally frowned upon and discouraged).
And then Google dropped the ban-hammer. Push-ads were outlawed. This cut deep enough into profits that it was no longer worth spending time or resources on supporting the ad network, so we basically moved on.
This is when we strayed from the usual path of identifying an existing market to jump into and actually developed something that was, as far as I know, pretty novel. As I mentioned earlier, we had already developed desktop advertising into a thriving channel of the business, so we came up with a way to piggy-back mobile distribution into our existing desktop distribution model.
Once again I pumped out a quick and dirty proof-of-concept—this time in the form of a Windows app—that we would distribute through our desktop installer network as another checkbox for people to miss. This new app would sit in the user’s system tray, silently running in the background.
What did that app do, you ask?
If you have an Android and have spent any time looking for apps in Google’s App Store from your desktop computer, you may have noticed that there is an “Install” button which, when you are signed in, lets you install apps directly on your phone. You click the button on your desktop, the app automagically appears on your phone. You can probably guess where this is going.
Web browsers don’t really do a great job of protecting their cookies on your computer. They’ll go to hell and back protecting them from web-based attacks, cross-site scripting, injected iframes, etc. But once you’re actually on someone’s computer—once they’ve trusted and executed your code—getting their cookies is trivial; IE stores them as a bunch of plain-text files in the user’s directory, and Firefox and Chrome store them in unprotected plain-text SQLite databases (or did at the time, anyway).
So my new little desktop app, which was quickly distributed to millions of unsuspecting checkbox-ignoring users, would “borrow” their existing Google session by reading their browser cookies, then invisibly “click” that App Store install button for them on apps that were paying us for distribution. We started off with opt-in screens and notifications, letting the user know that they have signed up for our free “app discovery” platform and we just sent them a new app, but we quickly learned that if the user became aware of what was going on at any point in the process, they would remove our app and we’d lose them as a user (a-duh!). Over time, those notification and opt-in screens were “optimized” away as much as possible. They already “agreed” to our 23 page EULA when they were trying to install Paint.NET but accidentally clicked the wrong download button anyway, right?
Calling it an “app discovery” platform soon took on a new meaning for us. Usually that’s biz-speak for a service that helps users discover new apps that they want to use, but normally wouldn’t find because they’re buried too deep in the App Store. In our case, it meant users would wake up in the morning and “discover” new apps on their phone with no idea how they got there.
Several of the first apps we pushed were our own tracking apps that would allow us to call home and gather statistics about our users. The nature of the product meant that those apps had to be available through the Google App Store—you can probably imagine what the comments and ratings looked like on those apps. I certainly learned a few new profanities and insults. I also learned how good Google is at banning developer accounts. A particularly low point for me was talking to a Google employee through a newly-generated VOIP phone number under an assumed name, trying to activate a new developer account with a pre-paid credit card and a made-up address several states away. Logging in and managing the developer account had to be done remotely through an Amazon EC2 instance, since our office’s IP address was perma-banned.
It was around that time I started looking for a new job.
The stuff I worked on in that job was complete horseshit. It provided absolutely zero value to anybody. It existed and was expressly optimized for the sole purpose of exploiting non-tech-savvy computer users to generate undeserved profits. We all very much understood that our “users” were generally unaware that they were a source of revenue for us (this was considered a good thing) and it was often joked about. I knew this the whole time I was working there, and I felt shitty about it, but for a couple years not shitty enough to keep me from selling out for a reasonable paycheck, three free lunches every week, and good benefits.
I’ve since moved to a new state, a new job, and a different (less soul-sucking) industry, and feel really, really good about that decision. I’m now working on things that actually provide value to the users. If there’s a moral to this story, I’m not entirely sure what it should be. Maybe that “will it pay the bills?” shouldn’t be your only consideration when exploring new job opportunities. “Could I live with myself?” should be somewhere up there too.
I have no idea if any of the things I helped build are still alive out there. When I left, we still had problems identifying good users to push our desktop app to—it had to be someone who owned an Android, was logged into Google on their desktop, and had enabled the ability to push apps from the App Store to their phone. This is a small segment of the total universe of desktop users, meaning that even though we were able to make insane amounts of money off the users we got, we weren’t able to get that many users. With the never-ending Google account closures to boot, it wouldn’t surprise me if that product was eventually tossed into the heap along with our other failed endeavors to make way for the next million-dollar-idea. Though, the last thing they had me working on before I left was reverse-engineering how iTunes installed apps in the hopes of developing a similar distribution model for iOS. We knew it was possible because there were a couple Chinese products out there that could push signed apps directly to iOS devices already.
I’ll end this post by once again apologizing for everything I did while working there. It is a definite fact that I made thousands (at least) of peoples lives a little bit worse through my efforts, and that still bugs me. But that’s okay—hopefully it means I managed to escape with my conscience still somewhat intact.
So please, tell your Grandma I’m sorry. And to upgrade her browser.
Short Permalink for Attribution: rdsm.ca/exploit