As mobile devices proliferate, app advertising has become a huge business, worth an estimated $20 billion in the U.S. alone. But how much of that is being wasted? According to a new report from fraud-detection firm Forensiq, as much as $1 billion of that advertising money is being lost to fraud in a number of ways—including malicious apps that hijack mobile phones and turn them into an ad-viewing botnet.

There are already several well-known varieties of mobile fraud, including device emulation, mobile user-agent and location spoofing, and fraudulent user-acquisition methods. But Forensiq says that its research has uncovered a new variety, which it calls “mobile device hijacking.”

In this process, malicious mobile applications pretend to exhibit human behavior by loading new pages or cycling through functions in an app, all of which loads advertising. But they load far more ads than any normal application would—as many as 20 ads per minute—and in many cases they do so in the background when the app isn’t being used—which means they are never seen.

Based on the amount of estimated fraudulent inventory, the company said the total loss to advertisers could reach the $1 billion mark this year. And the loss of hundreds of millions of dollars worth of mobile advertising revenue isn’t the only downside: These apps can also consume a huge amount of bandwidth and battery life, leading to higher costs for owners.

“These apps run constantly, even when not actively in use, serving thousands of invisible ads every day on a single device. To the consumer, this means potentially petabytes of bandwidth wasted daily; in just an hour, a typical malicious app installed on a single device can download 2GB of data per day, consisting of images and videos that are never seen.”

This kind of behavior is similar to the “botnets” that malicious computer hackers can create using infected computers, first by turning them into zombies that can be controlled remotely, and then tying them together and forcing them to load webpages, click on ads or distribute malware. But as Forensiq points out, most PC malware is downloaded without the user’s knowledge via email or infected webpages, whereas mobile app fraud comes from apps that users download willingly.

Mobile ad fraud

The firm said that it tracked down more than 5,000 apps that were exhibiting suspicious behavior. It found the apps by using the real-time tracking data that it gets from the various mobile ad networks that it is integrated with, which allowed it to look for the kind of rapid ad-loading and background functions that most malicious apps exhibit. The company then loaded several of these apps and tracked their behavior.

Some of the malicious apps the firm discovered downloaded a script that allowed them to simulate clicks on ads, and to load the advertiser’s landing page without the user’s permission. Others redirected users through affiliate links to websites and other apps in the iOS and Android app stores.

Forensiq said its research showed that more than 13% of total mobile app inventory was at risk, and 14% of all mobile apps on iOS, Android and Windows Mobile platforms.

Over a period of 10 days, Forensiq says it observed more than 12 million unique devices with installed apps that exhibited fraudulent behavior: about 1% of all devices it observed in the U.S. and between 2% and 3% of those in Europe & Asia. In addition to malicious apps, the company says it also saw some apps that don’t even display ads showing up in its scan of ad behavior—including BlackBerry’s BBM messenger—which suggests that other apps are spoofing their unique identifiers.

Many malicious apps can be identified because they ask for a suspicious number of permissions that shouldn’t be required given their purpose—such as the ability to prevent the device from sleeping, the ability to run at startup automatically, to modify or delete content and to access location services even when the app is running in the background.

Forensiq said that fraudulent apps drove traffic through most of the major mobile ad exchanges and networks, and in some cases established 1,000 connections per minute, connecting to more than 300 networks, servers, exchanges and ad providers in less than an hour.