The Zombie Apps Rise Again: Live Fraud Paper Threat 2.0

Richard Kahn - October 18, 2017

Just in time for Halloween, zombie apps are rising from the dead. After Anura’s original discovery earlier this summer, they’ve detected fraudulent live wallpaper apps in the Google Play Store are re-emerging.

So, what exactly are the fraudsters up to this time? Here’s what you need to know.

The Original Threat: Live Fraud Paper Threat

Earlier this summer Anura detected click attempts being made from several apps in the Google Play Store. The apps, the Lovely Rose and Oriental Beauty, were installed on a mobile device that remained in sleep mode during the time period.

Despite the device being isolated (e.g. no human activity), click logs showed 3,061 requests for an ad, and ads were granted 169. Big name brands like Snapchat and Wendy’s received these clicks, which clearly were non-human.   

The majority of the affected apps were live wallpaper apps, which Anura coined the Live Fraud Paper Threat. Google Play removed all of the apps eZanga named in their case study within a few weeks.

However since then, Anura has discovered the re-emergence of fraudulent live wallpaper apps in the Google Play Store. This latest discovery has been coined Live Fraud Paper Threat 2.0.

The New Threat: Live Fraud Paper Threat 2.0

Since September 18, 2017, Anura has identified three developers (with Gmail accounts) who have uploaded 43 zombie apps. Those zombie apps may have been downloaded more than 1.1 million times.

Like before, the new fraudulent wallpaper apps are manipulating a zero-click model, where the smartphone doesn’t have to be touched to generate a click. But this time around, the script has been altered just enough to slip past Google Play Protect and other traffic detectors.

This variation could cost advertisers anywhere between $100,000 to $500,000 per month!

New Call-to-action

Consumers are also at risk for inviting malware onto their devices. This puts legitimate applications at risk (e.g. financial apps), plus consumers can become retargeted with products and services of no relevance to them.   

Why Doesn’t Google Just “Fix It”?

Google Play Protect has good intentions, aiming to scan devices daily. So, how are these bad zombie apps getting past Google?

It’s possible Google is checking for pieces of the original infiltrated code even when trying to determine whether an app is “infected.” But if an app developer has obfuscated their code enough so that it doesn’t “look” like the previous code, it allows them to creep by undetected.

There’s also the issue of “zero click.” Google could put a rule in place that if an app developer used a known inferior script to automatically mark it before it enters the Google Play Store. Since the code is very similar and even with obfuscation, you can see what certain elements do.

Clearly, it’s a complex issue. In the meantime, it’s up to advertisers and consumers to be vigilant about what apps they choose to download. Don’t let your device fall prey to a zombie app.

For more information on Live Fraud Paper 2.0 download our case study.

Richard Kahn

Rich Kahn is the Founder and CEO of, a digital advertising firm and purveyor of the ad fraud traffic management platform Anura. He has more than 23 years of global experience in internet technology, digital advertising, and ad fraud management, and is often revered for his implementation of fraud elimination techniques and client growth. Previously, Rich founded his own internet service provider, First Street Corporation and co-founded Paid for Surf, an advertising software company, before joining the pay per click advertising network AdOrigin as its COO. Rich has held management roles at Verizon Wireless and Bloomberg.