A BuzzFeed News investigation uncovered a sophisticated ad fraud scheme involving more than 125 Android apps and websites, some of which were targeted at kids.

Last April, Steven Schoen received an email from someone named Natalie Andrea who said she worked for a company called We Purchase Apps. She wanted to buy his Android app, Emoji Switcher. But right away, something seemed off. “I did a little bit of digging because I was a little sketched out because I couldn’t really find even that the company existed,” Schoen told BuzzFeed News. The We Purchase Apps website listed a location in New York, but the address appeared to be a residence. “And their phone number was British. It was just all over the place,” Schoen said. It was all a bit weird, but nothing indicated he was about to see his app end up in the hands of an organization responsible for potentially hundreds of millions of dollars in ad fraud, and which has funneled money to a cabal of shell companies and people scattered across Israel, Serbia, Germany, Bulgaria, Malta, and elsewhere. Schoen had a Skype call with Andrea and her colleague, who said his name was Zac Ezra, but whose full name is Tzachi Ezrati. They agreed on a price and to pay Schoen up front in bitcoin. “I would say it was more than I had expected,” Schoen said of the price. That helped convince him to sell. A similar scenario played out for five other app developers who told BuzzFeed News they sold their apps to We Purchase Apps or directly to Ezrati. (Ezrati told BuzzFeed News he was only hired to buy apps and had no idea what happened to them after they were acquired.) Advertisement

“A significant portion of the millions of Android phone owners who downloaded these apps were secretly tracked as they scrolled and clicked inside the application." Share on Facebook Share on Facebook Share on Twitter Share on Twitter

The Google Play store pages for these apps were soon changed to list four different companies as their developers, with addresses in Bulgaria, Cyprus, and Russia, giving the appearance that the apps now had different owners. But an investigation by BuzzFeed News reveals that these seemingly separate apps and companies are today part of a massive, sophisticated digital advertising fraud scheme involving more than 125 Android apps and websites connected to a network of front and shell companies in Cyprus, Malta, British Virgin Islands, Croatia, Bulgaria, and elsewhere. More than a dozen of the affected apps are targeted at kids or teens, and a person involved in the scheme estimates it has stolen hundreds of millions of dollars from brands whose ads were shown to bots instead of actual humans. (A full list of the apps, the websites, and their associated companies connected to the scheme can be found in this spreadsheet.) One way the fraudsters find apps for their scheme is to acquire legitimate apps through We Purchase Apps and transfer them to shell companies. They then capture the behavior of the app’s human users and program a vast network of bots to mimic it, according to analysis from Protected Media, a cybersecurity and fraud detection firm that analyzed the apps and websites at BuzzFeed News' request. Advertisement This means a significant portion of the millions of Android phone owners who downloaded these apps were secretly tracked as they scrolled and clicked inside the application. By copying actual user behavior in the apps, the fraudsters were able to generate fake traffic that bypassed major fraud detection systems. “This is not your run-of-the-mill fraud scheme,” said Asaf Greiner, the CEO of Protected Media. “We are impressed with the complex methods that were used to build this fraud scheme and what’s equally as impressive is the ability of criminals to remain under the radar.”

“This is not your run-of-the-mill fraud scheme.” Share on Facebook Share on Facebook Share on Twitter Share on Twitter

Another fraud detection firm, Pixalate, first exposed one element of the scheme in June. At the time, it estimated that the fraud being committed by a single mobile app could generate $75 million a year in stolen ad revenue. After publishing its findings, Pixalate received an email from an anonymous person connected to the scheme who said the amount that’s been stolen was closer to 10 times that amount. The person also said the operation was so effective because it works “with the biggest partners [in digital advertising] to ensure the ongoing flow of advertisers and money.” In total, the apps identified by BuzzFeed News have been installed on Android phones more than 115 million times, according to data from analytics service AppBrain. Most are games, but others include a flashlight app, a selfie app, and a healthy eating app. One app connected to the scheme, EverythingMe, has been installed more than 20 million times.

Advertisement Once acquired, the apps continue to be maintained in order to keep real users happy and create the appearance of a thriving audience that serves as a cover for the cloned fake traffic. The apps are also spread among multiple shell companies to distribute earnings and conceal the size of the operation. The revelation of this scheme shows just how deeply fraud is embedded in the digital advertising ecosystem, the vast sums being stolen from brands, and the overall failure of the industry to stop it. App metrics firm AppsFlyer estimated that between $700 million and $800 million was stolen from mobile apps alone in the first quarter of this year, a 30% increase over the previous year. Pixalate’s latest analysis of in-app fraud found that 23% of all ad impressions in mobile apps are in some way fraudulent. Overall, Juniper Research estimates $19 billion will be stolen this year by digital ad fraudsters, but others believe the actual figure could be three times that. This scheme’s focus on Android apps also exposes the presence of fraud, malware, and other risks affecting Google’s mobile ecosystem and the users who rely on it. Experts say a scheme like this targets Android in part because of its huge user base, and because the Google Play store has a less rigorous app review process than Apple’s App Store. Android apps are bought and sold, injected with malicious code, repurposed without users’ or Google’s knowledge, or, as in this case, turned into engines of fraud. (Apple’s App Store is by no means immune to malicious attacks: A security researcher recently revealed that a top paid app is secretly transmitting user browsing data to a server in China.) Advertisement Google told BuzzFeed News it quickly removes any apps that violate Play store policies and that last year it took down more than 700,000 apps that were in violation. It also emphasized its commitment to fighting ad fraud by implementing standards such as ads.txt. “We take seriously our responsibility to protect users and provide a great experience on Google Play. Our developer policies prohibit ad fraud and service abuse on our platform, and if an app violates our policies, we take action,” said an emailed statement from a Google spokesperson. The ad networks and ad exchanges used by the scheme include major players, such as those operated by Google, which means these companies earned commission if ads shown to bots went undetected. There is no evidence Google or any of the other companies knew the inventory was fraudulent. After being provided with a list of the apps and websites connected to the scheme, Google investigated and found that dozens of the apps used its mobile advertising network. Its independent analysis confirmed the presence of a botnet driving traffic to websites and apps in the scheme. Google has removed more than 30 apps from the Play store, and terminated multiple publisher accounts with its ad networks. Google said that prior to being contacted by BuzzFeed News it had previously removed 10 apps in the scheme and blocked many of the websites. It continues to investigate, and published a blog post to detail its findings. The company estimates this operation stole close to $10 million from advertisers who used Google's ad network to place ads in the affected websites and apps. It said the vast majority of ads being placed in these apps and websites came via other major ad networks. Advertisement Asked whether it reviews apps in the Play store on an ongoing basis, a company spokesperson pointed to a blog post from earlier this year that said, “Sometimes developers change the content or behavior of their app and associated app listing and marketing materials after initially approved, requiring ongoing reviews as new information becomes available that can alter the original policy judgment.” The company would not say whether any apps in this scheme received a subsequent review after they changed ownership, or for any other reason.

Got a tip about ad fraud? You can email tips@buzzfeed.com. To learn how to reach us securely, go to tips.buzzfeed.com. Share on Facebook Share on Facebook Share on Twitter Share on Twitter

Amin Bandeali, the chief technology officer of Pixalate, told BuzzFeed News that app stores provide minimal ongoing review of apps and their developers, which makes them an easy target for fraudsters and other bad actors. “App stores, perhaps unwittingly, are providing a gateway to connecting fraudsters with [advertising] inventory buyers and sellers,” he said. “While the stores present customer reviews, download numbers and other ‘quality’ metrics, they offer minimal services that vet the business practices, technology and relationships of the app companies.” To identify key beneficiaries of this scheme, BuzzFeed News analyzed corporate registration records, domain ownership and Domain Name System data, Play store listings, and other publicly available information. It revealed that the network of apps and websites is linked to Fly Apps, a Maltese company with multiple connections to the scheme.

Advertisement Corporate records obtained by BuzzFeed News show that Fly Apps is owned by two Israelis, Omer Anatot and Michael Arie Iron, and two Germans, Thomas Porzelt and Felix Reinel. Anatot's LinkedIn profile lists him as the CEO of EverythingMe, a popular app owned by Fly Apps. In messages sent on WhatsApp, Anatot said he only manages EverythingMe and blamed the initial fraud identified by Pixalate on a firm he says they worked with, AdNet Express. He said his company paid AdNet Express to generate installations of its apps to help grow its user base, and that any fraud was the fault of their partner. “They were buying installs for us for a short time,” he said. “Very soon it turns out these guys were 100% fraudulent traffic of bots pushing installs.” It’s unclear if AdNet Express is a real company. It has virtually no online profile or reputation other than a very basic website, which does not list an address or phone number or cite any clients or projects. The domain ownership information for the site listed a fake US mailing address, as well as the email address “MatthewBStrack@teleworm.us.” That email address was generated using a service called Fake Mail Generator. The company’s two employees listed on LinkedIn cite no additional work experience or educational background on their profiles, and appear to have no other online presence. BuzzFeed News sent an email citing Anatot’s claims to the address listed on the company’s website. “This is very interesting,” someone wrote back. “Today, i cannot speak but Friday.” They did not reply to subsequent emails. Advertisement Also, at some point after Anatot began communicating with BuzzFeed News, many of the websites in the scheme were taken offline. Several websites for shell companies were unpublished at the same time. “You try to tie me into something I've no relationship to,” Anatot said in a message. “And if you go and publish that, you and the publisher will carry the legal liability. You really have no grounds for the things you tie me to.” After receiving a detailed email with information connecting Fly Apps to apps and companies involved in the scheme, the company responded with a letter from its attorney that denied any involvement in, or knowledge of, the fraud identified by Pixalate. Fly Apps also denied it has any connections to the apps, websites, and companies identified in the overall fake traffic scheme. “Please be advised that my client categorically denies these very serious and false allegations, which if published, would cause tremendous harm to it,” the letter, from Harder LLP, said. “Fly Apps’ applications are loved by many, and have a significant amount of users. Fly Apps is a reputable application developer, which has long been supported by advertising partners and advertising verification companies.” The letter, which can be read in full here, omitted any reference to AdNet Express and instead blamed the fraud revealed by Pixalate on an unnamed third party that provided a "corrupted" software development kit. It did not address the fact that Protected Media detected fake traffic in many of these apps and websites beginning more than a year ago. Advertisement A subsequent set of questions from BuzzFeed News asked Fly Apps to comment on the fact that Google removed advertising accounts associated with websites and apps it found had received high levels of fraudulent traffic. The company, speaking through its lawyer, acknowledged that Google was recently in touch with Fly Apps about its account(s). "A few days ago, Fly Apps received a Google notification concerning an issue with Adsense and is in the process of trying to obtain further information. Fly Apps is confident that it will resolve this issue in due time and notes that the Google notification did not mention any issues regarding bad traffic," said an emailed statement. BuzzFeed also asked the company to comment on the fact many websites connected to the scheme went offline after Fly Apps learned of BuzzFeed News' interest, and many apps in the scheme have since been removed from the Play store by Google. "Fly Apps cannot comment on applications and websites, online or offline, that are not related to Fly Apps," it said. Here’s a breakdown of how a group of partners leveraged technical knowledge and connections within the advertising ecosystem, a network of shell companies with fake employee profiles, an army of bots, and more than 100 apps and websites to operate a scheme that an insider says stole hundreds of millions of dollars.

1. How The Fake Traffic Works The first step to creating convincing fake traffic for this scheme is to acquire Android apps used by actual human users. The fraudsters study the behavior of the users and then create bots — automated computer programs — that mimic the same actions. The bots are loaded onto servers that contain specialized software that enables the bots to generate traffic within the specific apps. Advertisement In the case of websites in the scheme, the bots visit them using virtual web browsers that help present this traffic as human. In both cases, the fake traffic generates ad views, which in turn earns revenue. The blending of real humans with bots helps defeat systems built to detect fake traffic, because the real traffic and fake traffic look almost exactly the same. “These bots are unique to this operation, mimicking real user behavior. The traffic is therefore a mix of real users inside a real app, and fake traffic,” said Greiner of Protected Media. (Google's investigation also found that some of the fake traffic directed to properties in the scheme came from a botnet called "TechSnab.")

BuzzFeed News Share on Facebook Share on Facebook Share on Pinterest Share on Pinterest Pinterest Pinterest

“It’s clear to us that the people orchestrating this scheme are both familiar with the ad tech industry and with the mainstream data science approach to detecting ad fraud,” he said.

Anatot previously ran a company, Install Labs LTD, that distributed adware and other software classified as “potentially unwanted programs” (PUP) by security and anti-virus firms due to them causing frustration for users, and often installing other programs without permission. He’s also an investor in Montiera, another company that distributed software classified as PUP. Like the Android apps and websites in this scheme, these PUP offerings relied on digital advertising to generate revenue. Advertisement Reinel and Porzelt previously ran a German hosting and server administration company called hostimpact.de. Between those three, they possess the background in advertising and server management necessary for this scheme. It’s unclear what Iron did prior to Fly Apps, though as detailed below he is part owner of a Serbian company that develops mobile apps for Android, as well as other web products.

2. How The Fraud Was First Discovered The scheme began to unravel this summer when data scientists at Pixalate detected something alarming in an Android app called MegaCast. The app’s pitch was that it enabled a user to play any video, regardless of format, on a streaming device. But behind the scenes, MegaCast was pretending to be something it wasn’t. Pixalate found that MegaCast was at times displaying the unique ID of other apps in order to attract bids for ads. This meant ad buyers thought they were, for example, buying ads in the far more popular EverythingMe app when in reality they were showing up in MegaCast. (This is called “spoofing,” because MegaCast was pretending to be other apps.) Pixalate identified roughly 60 apps being spoofed by MegaCast and estimated this one scheme could generate $75 million per year in fraudulent ad revenue. It documented ads from major brands such as Disney, L’Oréal, Facebook, Volvo, and Lyft being fraudulently displayed. Pixalate revealed its findings in a June blog post, and MegaCast was soon removed from the Google Play store. Fly Apps told BuzzFeed News that MegaCast was a victim of the spoofing scheme, and that it removed the app from the Play store because "its reputation has unfortunately been tarnished by recent events. Fly Apps will be creating a new and improved casting application."

Advertisement Soon after Pixalate went public with its findings, an email arrived in its inbox from an email address at Mobilytics.org, an analytics company that helped facilitate the MegaCast fraud. (It was used to track how much money was being earned from ads placed with each spoofed app ID.) “This email is directed to the top management team of Pixalate. For the obvious reasons, my name is not relevant now,” read the email. The person offered to share their inside knowledge to fully expose the scheme and reveal how big it really is.

“Your estimation of $75 [million] accumulated damage is probably 10% of the real numbers.” Share on Facebook Share on Facebook Share on Twitter Share on Twitter

“I will explain you the technologies to create traffic on android, how to distribute it, how to sell the created traffic, the business structures needed, but most of all how to partner with the biggest partners to ensure the ongoing flow of advertisers and money,” the email said. (Contrary to what Anatot and Fly Apps claimed, this inside source said nothing about fraudulent app installs or a corrupted software development kit.) “And by the way,” the message said, “your estimation of $75 [million] accumulated damage is probably 10% of the real numbers. But that just explains how unaware or just cooperative the industry is with this growing ‘business.’” Advertisement Pixalate replied to ask for more information, but never heard back. Soon, all replies to the email bounced back as a result of Mobilytics’s website being taken offline. By then, BuzzFeed News had begun its own investigation of the ownership information and other details related to the spoofed apps. This dive into corporate records, domain registration information, DNS data, and other publicly available sources led to a startling conclusion: Rather than being victims of the MegaCast spoofing, the apps were all connected and therefore part of the same scheme. This aligned with what the anonymous Mobilytics employee hinted at. Protected Media’s subsequent discovery of the fake traffic generated by bots also confirmed what the source said. Ultimately, this information led to the group of four men operating Fly Apps, which owns MegaCast, EverythingMe, and other applications.

3. Key Beneficiaries Back in 2015, EverythingMe was one of the most promising Android apps in the Play store. It won a Webby Award, was featured by Google, amassed more than 10 million downloads, and raised more than $35 million in venture capital. EverythingMe is a “launcher” that helps organize apps and contacts, and surfaces relevant information based on when you’re using your phone. In spite of its success, at the end of 2015, the company that created it announced it was shutting down and soon removed EverythingMe from availability. Without a hot startup behind it, the app was largely forgotten. In 2016, the app was quietly sold to a new owner, according to a former EverythingMe executive who asked not to be named or quoted. They declined to say who bought it, citing a nondisclosure agreement. In early 2017 the EverythingMe Twitter account briefly sprung to life to tweet that “EverythingMe is back!” and promote a download link. Advertisement As of today, EverythingMe is the property of Fly Apps. On LinkedIn, Anatot, an Israeli, lists himself as CEO of EverythingMe. Corporate ownership records confirm that Anatot owns 25% of Fly Apps, along with three other men who each own the same share: Thomas Porzelt and Felix Reinel, two Germans; and Michael Arie Iron, an Israeli. After hearing that a BuzzFeed News reporter was looking into his company, Anatot reached out by email: “I understand that you are looking into mobile apps advertising and assumed very wrong conclusions about me, my company and my partners.” In a subsequent WhatsApp chat Anatot blamed the fraud detected by Pixalate on AdNet Express, a company that may not exist. He also downplayed his role and ownership stake in Fly Apps. “My holiding [sic] in fly apps is private matter, but I can tell you that I'm a far minority holder,” he said, omitting the fact that he owns the same share as his three partners. Anatot said that after he acquired EverythingMe, “Fly apps teamed up with me to supply the tech team and financing.” He said he does not have oversight of other Fly Apps products. But additional details connect Anatot in other ways to at least one of his Fly Apps partners. Anatot runs a company called TinTin Consulting that serves as his vehicle for investing in companies. His list of portfolio companies was removed from TinTin’s website after Anatot learned of BuzzFeed News’ interest in him. But before it was scrubbed, the site listed the Serbian-based mobile apps and software development company Kudos as one of his investments. Maltese corporate records show Anatot’s partner Iron owns 49% of that company. Advertisement Milos Kovacki, the founder and COO of Kudos, told BuzzFeed News the company never worked with Fly Apps or any of the shell companies involved in the scheme. But the LinkedIn profiles of two Kudos employees detail their work on MegaCast, the Fly Apps Android app that Pixalate found to be at the center of the spoofing scheme. Kovacki did not respond to subsequent questions. BuzzFeed News also found multiple connections linking Fly Apps to other companies, websites, and apps in the ad fraud operation. The Play store pages for EverythingMe, Restaurant Finder, and MegaCast all list the Malta address used by Fly Apps. That same address was also listed on the website of Mobilytics, the company that was central to the initial fraud discovered by Pixalate. The letter from Fly Apps’ lawyer noted that this address is for a corporate registration agent in Malta, not an actual business office. However, a Google search for the address the exact way it’s written on these pages almost exclusively brings up results connected to apps owned by Fly Apps. That initial connection is not conclusive on its own, but quickly combines with others. A key connector between Fly Apps and properties in the scheme is the email address lorentsen@yandex.ru. It was used to register the domain names for the websites of Fly Apps properties EverythingMe and Restaurant Finder. And it’s also the email address used to register the websites for 15 other apps implicated in the scheme, which in turn connect to eight shell companies. A third connection between Anatot/FlyApps and companies or properties in the scheme is the MegaCast app. Anatot acknowledged to BuzzFeed News that MegaCast is owned by Fly Apps. But the since-removed MegaCast website listed a Bulgarian company called Messamta Project as its developer. Messamta’s corporate records list a Bulgarian address used by more than a dozen other apps in the scheme. It’s also the corporate registration address used by three additional Bulgarian shell companies that were publicly listed as the owners of these apps and websites: Osipo/Osypo, Ventus Trading, and Rasolant. As with the Malta address, it appears to be almost exclusively associated with companies and apps involved in the scheme. Advertisement Fly Apps’ lawyer argued this was simply another case of their client using the same service providers as other companies. However, the websites for Osypo and Rasolant were both taken offline after BuzzFeed News began communicating with Anatot. And as detailed below, there is overwhelming evidence that these and other related companies are nothing more than shells created to help execute the fraud scheme.

BuzzFeed News Share on Facebook Share on Facebook Share on Pinterest Share on Pinterest Pinterest Pinterest

The Fly Apps website itself also provides a fourth connection. Its design and some of its text is a carbon copy of the website Loocrum.com, which describes itself as a mobile apps monetization platform. The code for the Fly Apps site even includes a reference to Loocrum, showing that at least some of its code was literally copied from that site. The Loocrum website was registered last year by a person named Petar Popovich with the email address ppopovic588@gmail.com. That email address was also used to register the domain names of two shell companies involved in the scheme, Quaret and Visont. Petar Popovich is also the name of the Serbian citizen who registered Bulgarian shell companies in the scheme. (An email sent to that address went unanswered.) Advertisement A final connection of note is that the Restaurant Finder app, which belongs to Fly Apps, was removed from the Play store after Google began taking action against apps it determined had received fraudulent traffic as part of this scheme.

4. Connecting Apps And Companies After Steven Schoen sold his app, Emoji Switcher, to We Purchase Apps, the new owner created a website for it, emojiswitcher.com. And just like the websites for EverythingMe and Restaurant Finder, that domain was originally registered to a “Jacob Lorentsen” of London using the email address lorentsen@yandex.ru. (An email sent to that address did not receive a reply.) That same registration information appears in the whois records for 19 other domain names associated with Android apps in this scheme. These apps list at least eight different companies as their owner or developer: Lyrman, Osypo, Fly Apps, Morrum, Visont, Imoderatus, AEY Solutions, and Rasolant. And these companies in turn list addresses in Serbia, Cyprus, Latvia, Bulgaria, and Russia. That single domain registration email address connects a web of apps and shell companies to one another, as well as directly to Fly Apps:

BuzzFeed News Share on Facebook Share on Facebook Share on Pinterest Share on Pinterest Pinterest Pinterest


Another key connection between multiple apps and companies is the address in Bulgaria linked to Messamta Project. It appears in the Play store pages for 21 apps spread out among four companies. Along with being the corporate address of Messamta, it shows up in records for Rasolant, which is publicly listed as the owner of 12 other apps involved in the spoofing attack first identified by Pixalate, as well as seven related websites identified by BuzzFeed News. Osypo, which also uses the same Bulgaria address, is listed as the developer of four apps in the Play store that are part of the scheme. The company’s website, which like several others was deleted after BuzzFeed News began making inquiries, lists an additional seven apps in the scheme. This single address connects multiple companies, apps, and websites, which again connect back to Fly Apps:

BuzzFeed News Share on Facebook Share on Facebook Share on Pinterest Share on Pinterest Pinterest Pinterest

Other connections abound. For example, the Android game Surprise Eggs - Kids Game has a listing in the Play store that says it’s developed by a company called Visont, and the app’s website says the same. However, the domain registration information for the app's site lists its owner as Quaret Digital, a separate company that itself is the owner of 10 websites participating in the scheme. Its website was taken offline after BuzzFeed News began inquiries, but can be viewed here. (Visont’s website was also removed late last week. It was registered last year using the email address lorentsen@yandex.ru.) Advertisement On LinkedIn, at least one of Quaret’s purported employees uses a profile stolen from actor and Instagram influencer Sarah Ellen.

BuzzFeed News Share on Facebook Share on Facebook Share on Pinterest Share on Pinterest Pinterest Pinterest

The domain registration and other technical details of the website for Surprise Eggs offer additional connections. The site uses an SSL certificate registered to the website TrackMyShows.tv. Track My Shows is an Android app in the scheme that has a website registered to lorentsen@yandex.ru. (An SSL certificate is used to certify the identity of a website being loaded in a web browser, and it also helps ensure a secure connection for the user. Websites typically use a certificate connected to their specific domain, but sometimes site owners reuse a certificate across multiple properties.) More than 15 additional websites involved in the scheme reused the same TrackMyShows.tv SSL certificate, according to data from DomainTools. Those apps claim to be owned by companies named Imoderatus, Morrum, Mout, AEY Solutions, Quaret Digital, Visont, and Rasolant, respectively. All of these seemingly separate apps/websites, belonging to different companies, are also hosted on the same server. As of this writing, 13 of the apps were recently removed from the Play store, likely as a result of Google's ongoing investigation. Advertisement

BuzzFeed News Share on Facebook Share on Facebook Share on Pinterest Share on Pinterest Pinterest Pinterest

In its legal letter, Fly Apps explained all of these connections by saying they “are the practical result from application developers using the same pool of common service providers within a specific industry.”

“They are not the result of any illicit conduct by Fly Apps in developing and setting up an intricate web of malicious applications to create fake traffic and steal hundreds of millions of dollar in advertising revenue,” it added.

5. Technical Connections and Common Customer Support The technical elements of the apps provide more connections and evidence that they’re developed and managed centrally. BuzzFeed News provided a list of apps to Armando Orozco, a senior malware intelligence analyst at Malwarebytes. He examined a sample of 13 belonging to different shell companies and found they “seem to be built in the same manner and mostly have the same ad sdk’s bundled in them — likely from the same developers/gang just submitting under different names.” (Ad SDKs, or software development kits, are programming libraries that enable an app to run specific types of ads in order to earn revenue. This means these apps were all using the same types of ads and ad providers to make money.) Advertisement He also examined EverythingMe, the Fly Apps application, and found it had the same unique ad identification code as other apps, and said it contained “very similar code chunks and strings.” An additional connection between Fly Apps applications and the apps operated by shell companies can be found on their Play store pages. These supposedly separate developers repeatedly used the exact same phrase in response to user complaints about intrusive or overloaded ads: “we are trying to find the balance between clean user experience and funding our project!” It’s used by Fly Apps to respond to complaints about EverythingMe and MegaCast. And it’s used to respond to complaints about apps in the scheme including Track My Shows, Cat Rescue Puzzles, Surprise Eggs - Kids Game, Pix UI Icon Pack 2 - Free Pixel Icon Pack, Surprise Eggs Vending Machine, and Twist Your Fingers, among others.

BuzzFeed News Share on Facebook Share on Facebook Share on Pinterest Share on Pinterest Pinterest Pinterest

6. Shell Companies With Fake Employees, Fake Customers, Copied Text In some cases, the websites of shell companies used in the scheme list the names and photos of employees, and link to LinkedIn profiles for them. But BuzzFeed News found multiple cases where stock photos were used for employees’ pictures. In other cases, searches for employee names only turn up results related to the companies, suggesting they are made-up names. Multiple shell company websites also reuse the same marketing text, word for word. Advertisement One Bulgarian company called Atoses Digital says on its website that it’s the developer of sites in the scheme including scandalcity.tv, webarena.tv, healthtube.info, and dailydally.tv. (It also claims to have worked on Glam, a once-hot fashion website that was sold last summer.) The Atoses site lists eight employees, but BuzzFeed News found that at least half of the headshots are taken from stock image websites. The LinkedIn profiles of those employees list no employment or education experience other than their work at Atoses.

BuzzFeed News Share on Facebook Share on Facebook Share on Pinterest Share on Pinterest Pinterest Pinterest

Many shell company sites also feature fake customer testimonials. The website for a company called TapTapVideo claims it helps monetize MegaCast, Twist Your Fingers, and Smart Voice Assistant, three apps found in the scheme. Its site includes customer testimonials, one of which is from a woman named “Gabriella Byrd.” The photo used for her is, in fact, a picture of a UX designer named Kristi Grassi.

BuzzFeed News Share on Facebook Share on Facebook Share on Pinterest Share on Pinterest Pinterest Pinterest


“Yes, I'm aware this photo seems to be used all over,” Grassi told BuzzFeed News in an email after being alerted to its presence on the site. Grassi said her photo was uploaded to a site that allowed designers to use it in mock-ups. Since then it has been misused by others. Similarly, Osypo’s since-removed website had three customer testimonials, but BuzzFeed News could not locate any information about the people and companies cited. (The site also uses a stock photo to represent its office.) Along with fake employees and customers, the companies recycle the same text on their homepages. Kheus, Immoderatus, and Visont all say, “Before we start development process, we need to research subjects of the project, your competitors, the target audience of the project. Our research results in technical requirements and wireframes, determined together with the customer.” The websites for Visont, Ellut, and Morrum say, “To meet your campaign objectives, our technology suite includes all forms of targeting including re-marketing, contextual, behavioral, geographic and dayparting.” Osypo and Morrum also have identical text, including the statement that they provide “website development services that meet all your needs and are tailored according to the peculiarities of your business field.”

7. Video Websites With Plagiarized Content Along with Android apps, BuzzFeed News identified more than 35 websites connected to the shell companies. Protected Media and Pixalate both found evidence of fraudulent traffic on a selection of the sites. The vast majority of these websites present themselves as video content providers in lucrative verticals such as fashion, sports, or celebrity news. Many use the .tv domain suffix to reinforce their focus on video. Advertisement But the websites themselves rarely update their content and some displayed the same videos. Another sign that they’re empty vessels for fake traffic is the fact that the same sentence — “We deliver our services to to over 4 million households with set top boxes, and providing mobile video services that reach over 10 million subscribers” — is found on the About page of more than 20 sites in the scheme.

BuzzFeed News Share on Facebook Share on Facebook Share on Pinterest Share on Pinterest Pinterest Pinterest

Two other sites in the scheme, 24gossip.net and topstories.fun, copied their About page text from the website Gossip Cop, a celebrity fact-checking website. (Both of those URLs were registered using an email address connected to Rasolant, while their websites publicly list the owner as Quaret Digital, further demonstrating how the shell companies are intertwined.)

BuzzFeed News Share on Facebook Share on Facebook Share on Pinterest Share on Pinterest Pinterest Pinterest


Almost all of the websites listed in BuzzFeed News’ email to Anatot have since been taken offline. A final sign that they’re fraudulent properties was noticed by Ian Trider, the director of real-time bidding operations for Centro, a platform used by brands and agencies to buy digital ads. He told BuzzFeed News he banned several Quaret properties last year after noticing they included instructions in their website code that would stop Google from indexing the sites. This would have prevented the sites from attracting traffic from search. Less traffic means less revenue, so no legitimate ad-supported website would want that. “Asking search engines to avoid indexing your site is not something you normally do as a for-profit publisher. You want the public to visit so you can make money through advertising," Trider said. But search traffic seems less important when you can simply fabricate an audience. ●



Craig Silverman is a media editor for BuzzFeed News and is based in Toronto. Contact Craig Silverman at craig.silverman@buzzfeed.com. Got a confidential tip? Submit it here