Earlier this year, PubMatic, a sell-side platform (SSP) that helps online publishers sell display, video and mobile ads in an automated fashion, issued a “massive refund” to its clients.

The reason behind the San Francisco-based company – an expert in the programmatic space – reimbursing its customers was a highly sophisticated case of advertising fraud. More specifically, software security firm Lookout had discovered the presence of BeiTaAd, a “well-obfuscated advertising plugin”, hidden within numerous mobile apps where PubMatic offered ads.

In a clue regarding its scale, BeiTaAd was found on 238 apps – collectively installed 440 million times – that were available in the Google Play Store. And when this plug-in was active, it forcibly displayed ads on a user’s locked mobile screen, ran video and audio ads even when a mobile phone was “asleep”, and loaded brand messages outside of the application itself.