1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to emulate many users of android/iphone app with unique IP's, generic footprints.

Discussion in 'Black Hat SEO Tools' started by punkinhead, Feb 2, 2016.

  1. punkinhead

    punkinhead Regular Member

    Joined:
    Feb 19, 2015
    Messages:
    431
    Likes Received:
    28
    I've got most of these details worked out for emulating multiple users on websites without leaving a distinct footprint, but no idea where to start to do it with mobile.

    Can someone start me off with a couple of terms I can look up or a general direction to look into? Should I be putting one android and/or iphone emulator per vps and running one emulation per vps like that, or is there some better way in bulk? Some way to run many on one machine so thhey appear to be independent and unrelated?

    What about the IP switching? It's easy in browsers with all the extensions and imacros, but not sure what tools to look into to emulate mobile users.
     
  2. Swaggatron

    Swaggatron Jr. VIP Jr. VIP

    Joined:
    Aug 13, 2015
    Messages:
    218
    Likes Received:
    39
    Gender:
    Male
    Occupation:
    Freelance Writer / Blogger
    Location:
    Travelling
    Home Page:
    To get a better view of how your app will really look on an iPhone, Android or Windows Phone of your choice, you will want to view it using one of the emulators associated with a platform's native software. In the case of Apple, you need Xcode, and for Android emulation, you need the Android SDK. For Windows, you can use the native Windows Phone emulator available in the Windows Phone SDK.

    If you get the above right, then go through this article for further developments.

    http://developer.telerik.com/featur...bile-app-simulation-emulation-device-testing/
     
  3. punkinhead

    punkinhead Regular Member

    Joined:
    Feb 19, 2015
    Messages:
    431
    Likes Received:
    28
    I should probably be more specific. I'm not a developer. It's not my app. I don't care how accurate the emulation is so long as it transmits the right data to the dev's servers. I need to create bot users for spotify that appear to be real users distributed across various device types and locations.

    I have briefly looked at the SDK's you mention, and the notion of running xcode, for instance on a vps just to emulate a single user and then having to work to spoof device type, location, etc. on a rotating per user basis seems very inefficient for my purposes. I'll do it if I have to, but...

    Is there a better, faster, more resource efficient, and easier to automate way to emulate bulk users? At the very least, is there something I can look into that will let me run MANY emulations (with proper mix of spoofed user data, device types, etc.) on a single instance of xcode? Better still would be something that just mimics the output and skips the whole emulation.
     
    Last edited: Feb 3, 2016
  4. punkinhead

    punkinhead Regular Member

    Joined:
    Feb 19, 2015
    Messages:
    431
    Likes Received:
    28
    Should I just start with this? Do I need to run a full emulation like xcode per vps and one app PER emulation, or is there a way to emulate multiple devices simultaneously?
     
  5. punkinhead

    punkinhead Regular Member

    Joined:
    Feb 19, 2015
    Messages:
    431
    Likes Received:
    28
    I think maybe I started with too many specifics. Just looking at the moment for general concept of what sort of approach you would use to emulate a bunch of mobile app users. Do I need one app per emulation per vps, or is there a different concept I should be looking into?
     
  6. lebsta

    lebsta Junior Member

    Joined:
    Nov 21, 2010
    Messages:
    100
    Likes Received:
    6
    Interesting topic... staying tuned!
     
  7. Asif WILSON Khan

    Asif WILSON Khan Executive VIP Jr. VIP

    Joined:
    Nov 10, 2012
    Messages:
    11,477
    Likes Received:
    32,406
    Gender:
    Male
    Occupation:
    Fun Lovin' Criminal
    Location:
    London
    Home Page:
  8. back2basics

    back2basics Power Member

    Joined:
    Nov 11, 2012
    Messages:
    581
    Likes Received:
    382
    Most emulators suck, and running multiple instances of them is not great if even possible. Here's the easiest way to do what you want...

    [​IMG]
     
    • Thanks Thanks x 3
  9. punkinhead

    punkinhead Regular Member

    Joined:
    Feb 19, 2015
    Messages:
    431
    Likes Received:
    28
    Yeah, I'm aware of some of the basic emulators out there, and of the existence of google... and that for serious development, people still do the bank of real devices thing, but I'm not trying to get an accurate emulation of anything, just spoof users in bulk with some sort of black hat tool. Really surprised that I can't find such a thing. There are tools galore to spoof desktop users in bulk (proxy rotators, user agent spoofers, etc.)

    Running banks of real devices or even just running lots of vps with one emulator each isn't addressing the issue of rotating through user profiles. I don't need 10 permanent users. I need 100 DIFFERENT users with DIFFERENT fingerprints every hour.

    Nobody has any tools for this?
     
    Last edited: Feb 7, 2016
  10. THUNDERELVI

    THUNDERELVI Elite Member

    Joined:
    Sep 12, 2009
    Messages:
    2,399
    Likes Received:
    2,074
    Gender:
    Male
    Location:
    W3
    Short answer: You can't!
    Long answer: Most apps can detect if you are running an emulator or a real device (it can be easily done in code) through hardware fingerprinting. That cannot be spoofed unfortunately. I don't know what you are trying to do, but if it involves spamming and you rely on creating 100-s of profiles via mobile phones, they can always detect that you are running an emulator and not a real device, therefore the only way is to buy cheap phones and use those!
     
  11. punkinhead

    punkinhead Regular Member

    Joined:
    Feb 19, 2015
    Messages:
    431
    Likes Received:
    28
    Bummer. Is there at least some way to rotate the apparent profile so Phone #1 appears to be a different user on a different device of same type each time?
     
  12. mtarus

    mtarus Newbie

    Joined:
    Dec 10, 2014
    Messages:
    39
    Likes Received:
    4
    I've read about bluestacks but not sure how that works
     
  13. punkinhead

    punkinhead Regular Member

    Joined:
    Feb 19, 2015
    Messages:
    431
    Likes Received:
    28
    Hmm... yeah. That's one of the ones I had come across a while ago that I was trying to remember. Bluestacks 2.0 allows the loading of multiple apps. Pairing that with advice like this:

    http://www.guidingtech.com/42743/multiple-instances-app-android/

    with the cloning of .apk files, etc should yield multiple clones of an app running.

    So what EXACTLY is it that's the giveaway that an emulator is being used. My understanding from digging into tools like Random Agent Spoofer is that in many ways, it should actually in theory be easier to blend in with mobile traffic since there are fewer variables, and larger pools of users with apparently identical fingerprints.

    Just on the surface, it would seem that this should be doable, and should actually be a bit easier than it is to spoof desktop usage... unless there's some specific item or items I'm missing that simply cannot be spoofed. If so, what are they?

    Also, what exactly CAN be spoofed? For instance, if you want to run 10 instances on a single emulator and have them appear as unique users, you couldn't just use a vps for the machine since they would all have the same IP. What sort of setup or tools would you use to give each instance it's own IP? (Something like what a proxy switching extension does for FF). Putting each on a separate vm with it's own emulator would be very inefficient and expensive to scale, so looking if possible for solutions that allow large numbers of instances of app to run simultaneously on one well endowed vps with a single emulation. (Well, one android emulation, anyway... then whole similar setup for IOS... unless one is better to run and can accurately spoof the other.

    Or, is there a MUCH more efficient process that essentially just taps into the app's API, and feeds it the correct identifying information and details as if it's running the app?
     
    Last edited: Feb 8, 2016
  14. Asif WILSON Khan

    Asif WILSON Khan Executive VIP Jr. VIP

    Joined:
    Nov 10, 2012
    Messages:
    11,477
    Likes Received:
    32,406
    Gender:
    Male
    Occupation:
    Fun Lovin' Criminal
    Location:
    London
    Home Page:
    You will find that if it can be done on a desktop, then it can usually be done on a mobile.
    On a Desktop a Browser is a Program, on a Mobile a Browser is an App, so if Firefox/Chrome has suitable extensions/plugins/addons available on Desktop then most of them will still work on Mobile.
    Even though the platforms may be different, the way the devices communicate over the Web/Internet is essentially the same HTTP Hypertext Transfer Protocol

    You can spoof the Mobile User Agent
    http://www.useragentstring.com/pages/Mobile Browserlist/
    https://developer.chrome.com/multidevice/user-agent
    http://www.useragentstring.com/pages/useragentstring.php
    http://lmgtfy.com/?q=mobile+user+agent+list
    http://lmgtfy.com/?q=spoof+mobile+browser+on+desktop

    These might be useful:
    https://addons.mozilla.org/en-US/firefox/addon/firefox-os-simulator/
    https://developer.mozilla.org/en/docs/Tools/Firefox_OS_Simulator
    https://developer.mozilla.org/en-US/docs/Tools/Firefox_OS_Simulator
    https://addons.mozilla.org/en-US/firefox/addon/firemobilesimulator/?src=search
    https://addons.mozilla.org/en-US/mobile/addon/phony/

    Remember Http Request Headers can be spoofed and tampered with, these tools can help:
    https://addons.mozilla.org/en-US/firefox/search/?q=http+header&appver=44.0&platform=windows
    http://lmgtfy.com/?q=Spoof+Http+Request+Headers
    http://lmgtfy.com/?q=spoof+user+agent+header
    https://en.wikipedia.org/wiki/User_agent#User_agent_spoofing


    There are many tools and software programs out there (think computer security and web application testing) that can help but you are unlikely to find one that meets your needs 100%, you will probably have to pay a Dev for a custom solution.




    EDIT: The simplest solution for you is to hire a dev to create your bot with specific requirements, might not be cheap and you might want to arrange to have the final payment withheld for 1-2 months until satisfied it works.
     
    • Thanks Thanks x 2
    Last edited: Feb 8, 2016
  15. punkinhead

    punkinhead Regular Member

    Joined:
    Feb 19, 2015
    Messages:
    431
    Likes Received:
    28
    I've been assuming as much for a while now, but not really clear just how far I can get with off the shelf tools. If it gets me in the ballpark so I can get started, then I can learn as I go and be able to have an intelligent conversation with a dev to get the bot built right. It's like plumbing. I still hire a plumber for big jobs, but I know enough about how it works to communicate and know if I've got the right guy.

    Anyway. Thx. I'll start reading up. I really just need to spoof users of one app, but I don't know enough yet about exactly how the app fingerprints users or receives usage data to know exactly what questions to ask. I also need to know enough about it to be able to CHECK that it is spoofing users properly. (Something like cross-referencing Panopticlick, but specific to what the app is sending rather than a browser)

    I understand (more or less) how to spoof users of a mobile BROWSER... I just have very limited concept as to how to do the same of an app.
     
    Last edited: Feb 8, 2016
  16. Asif WILSON Khan

    Asif WILSON Khan Executive VIP Jr. VIP

    Joined:
    Nov 10, 2012
    Messages:
    11,477
    Likes Received:
    32,406
    Gender:
    Male
    Occupation:
    Fun Lovin' Criminal
    Location:
    London
    Home Page:
    I think I have a good idea of what you are trying to do, there are tools out there because other people are doing it, but I don't think you will find them available publicly and if you do, they would be very expensive. I think people have paid for custom solutions.

    If you decide to try to build your own bot then read up on HTTP requests and responses, install HttpFox so you can see what gets sent from the broswer to the server and vice-versa.

    https://addons.mozilla.org/en-US/firefox/addon/httpfox/
    http://www.telerik.com/fiddler
    https://addons.mozilla.org/en-US/firefox/tag/http
     
  17. Asif WILSON Khan

    Asif WILSON Khan Executive VIP Jr. VIP

    Joined:
    Nov 10, 2012
    Messages:
    11,477
    Likes Received:
    32,406
    Gender:
    Male
    Occupation:
    Fun Lovin' Criminal
    Location:
    London
    Home Page:
    This is a good read:

    Source:http://motherboard.vice.com/read/i-built-a-botnet-that-could-destroy-spotify-with-fake-listens


    I Built a Botnet that Could Destroy Spotify with Fake Listens


    Did you know you can leave a muted Spotify playlist on repeat all night and generate roughly 72 cents for your favorite band? Or that you could previously leave a browser tab of Eternify open all day and net the band $2.30?

    Better yet, did you know you can program a botnet on your old laptop to generate $30 a day in fake Spotify listens?

    These gratuities may seem harmless or even deserved, but they foreshadow a major vulnerability in the current model of online music streaming. Just as publishers learned about click farming, streaming music services are learning about listen farming. And if automated listening continues unchallenged, music streaming may cease to provide any meaningful income for legitimate (even popular) musicians.

    Peter Fillmore, a security consultant in Melbourne, was among the first to demonstrate that automated programs could generate massive royalties back in 2013 by having software-based ?robots? listen to his own (comically horrible) music nonstop.

    Fillmore made around $1,000 in royalties and topped the Australian charts of streaming service Rdio, he says his motivations were benign. ?I was focused more on working out what mechanisms were there to prevent this type of fraud?and what the potential payouts would be,? he told me in an email.

    It was mesmerizing to watch the plays rack up

    In the time since Fillmore publicized this exploit, music streaming companies have been tight-lipped about the possibility of musical click fraud. Bloggers, however, have noticed the elephant in the room. In the wake of stunts like Vulfpeck pocketing $20,000 by having fans listen to silent songs and Eternify turning streaming fraud into an app, some have entertained the possibility of what would happen if large-scale botnets turned this trickle of fake plays into a torrent.

    I decided to prototype a robot with an endless appetite for music to see if Spotify could detect what it was doing.

    Here is what I coded into life:

    [​IMG]
    Image: William Bedell

    First, a remote server used browser automation to sign up for Spotify accounts with randomly generated names, ages, and email addresses. This gave me a limitless supply of accounts to stream songs, so as not to alert Spotify by having a handful of users with inhuman amounts of activity.

    A central command server periodically sent out Spotify login credentials to cloud servers (or repurposed personal computers) running dozens of Spotify clients, all masked behind virtual private networks. Each ?user? logged in, listened to a few hours of music, then logged out. Their playlists were random selections from various artists I like. Then, I deployed the botnet using a patchwork of free cloud instances and my own hardware.

    It was mesmerizing to watch the plays rack up. Unknown albums from minor celebrities I adore suddenly had tens of thousands of hits, where before they had virtually none. With minimal effort, I was generating $32.26 per day in royalties. Inevitably, my thoughts wandered to greed: how profitable would this music royalty factory be if I turned it on music I owned the rights to?

    Data from my relatively small-scale operation suggested I could locate 50 Spotify clients and on a memory-optimized 15 GB cloud server from Amazon Web Services and fake listens for a cost of 0.003 to 0.012 cents per song. (The exact cost depends on how frequently the robotic listeners hit the ?skip? button.) A royalty report I recently received from a musician colleague suggested that artists? take for ad-supported listeners was 0.08 cents per song (this number varies over time and between publishers), putting a conservative estimate for the rate of return of automated streaming at over 600 percent, assuming that one receives all the royalties for the music streamed.

    That kind of ?magic internet money? puts Bitcoin mining to shame?and I don?t need to explain the nonfinancial reasons why a musician might want a slice of the 18,000 to 144,000 (again, depending on song skipping) hits a single 15 GB cloud server could generate every day.

    Automated streaming is a lucrative heist involving robots emulating humans, but I did not encounter many Turing tests during my dry run. There wasn?t even a CAPTCHA or email verification when creating accounts. The barriers to entry are clearly minimal.

    A Spotify representative assured me that the company employs both computerized algorithms and human review to identify albums with questionable streaming activity, but declined to tell me how many albums have been removed for suspected fraud.

    We do have one data point: Fillmore?s album was taken down about six months after he began streaming songs once every thirty seconds (the minimum duration to accrue a royalty payment) from high-paying premium Spotify accounts. He suspects it was because of user complaints about the quality of his music.

    One can imagine, however, that if streaming robots can approximate human listener behavior well enough, a sophisticated botnet operation could plausibly fool Spotify?s spam algorithms.

    As much as I love the idea of having an army of robots working feverishly to bring me riches, my conscience prevents me from doing it. To understand why, one needs to realize where the money comes from.

    Here is Spotify?s basic business model: The site takes the total revenue from ad sales, which totaled $117 million in 2014, and pockets 30 percent. The remaining 70 percent of the ad money is shared between rights holders, based on the number of plays they receive. For instance, if I held rights to 10 percent of the total free Spotify streams during 2014, I end up with 7 percent of that $117 million pot (minus publishing fees).
    By adding meaningless plays to the denominator of that sharing formula, automated streaming lowers the per-stream royalty rate for all other rights holders.

    Does that mean a bot wrangler would be sticking it to the record business fat cats?

    Probably not.
    Major music labels are insulated from streaming fraud because they negotiate a much more complex compensation package with Spotify than the simple formula outlined earlier. Sony negotiated terms including multi-million dollar advances from Spotify, and ?usage-based minimums? which guarantee fixed per-stream royalty rates even if bots drag the shared-model rates to new lows.

    Instead, independent musicians and small labels that self-publish would likely bear the brunt of the damage from automated streaming because their royalty rates are the most flexible. Advertisers also suffer because they are paying for ad time that is falling on robot ears.

    If automated streaming continues unabated, independent artists who rely on ad-supported listeners will see their royalties shrink

    We can predict how small royalties may become by thinking of the situation as arbitrage. The royalty payout for playing a song currently exceeds the cost of required server time. If automated streaming continues unabated, independent artists who rely on ad-supported listeners will see their royalties shrink, possibly to the vanishing cost of server time (0.003 to 0.012 cents per stream).

    At that point, automated streaming from the cloud will become unprofitable?unless spammers decided to infect swaths of computers with malware that would quietly stream fake Spotify listens without the user noticing. This kind of malware-driven botnet is a cheap way to mimic a lot of listener activity, and could end up forcing the value of a Spotify listen down even further if deployed on a large scale. Real hackers might switch to using stolen premium accounts for even juicier payouts, and the same race to the bottom would occur at the premium tier.

    If they want to save the profitability of streaming, both independent artists and advertisers should call on music streaming services to combat streaming fraud however possible. Spotify and other services could accomplish this by taking listener authenticity seriously, and perhaps by splitting revenues more fairly.

    I have focused on Spotify out of familiarity, but the effectiveness of botnets in taking a cut from shared revenue pools is nearly universal. Traditional click farms make web pages look like they drive more traffic than they really do, and video streaming services already have the unpleasant task of wiping billions of suspect views from their ledgers.

    But perhaps there is hope for music: I polled my musician friends on whether they would collaborate with me if I hypothetically attempted to unleash this monster into the streaming world for profit. They didn?t seem too interested in such diabolical plots. With any luck, they are a representative sample.

    Topics: the listening economy, spotify, streaming, streaming audio, music, piracy, botnets, click fraud, click farming, automated streaming



    Source:http://motherboard.vice.com/read/i-built-a-botnet-that-could-destroy-spotify-with-fake-listens




    Also these:
    http://www.theguardian.com/music/mu...reaming-silence-vulpeck-make-money?CMP=twt_gu
    https://news.ycombinator.com/item?id=7428550
    http://eternify.it/
    http://www.bloomberg.com/bw/article...nds-a-way-to-make-spotify-pay-for-its-silence
    http://www.itnews.com.au/news/hacker-uses-bots-to-top-music-charts-bumps-pnk-nicki-minaj-362462
    http://www.hypebot.com/hypebot/2015/11/gaming-streaming-networks-with-fake-listeners.html
    http://lmgtfy.com/?q=spotify+bot+account+creator
    http://lmgtfy.com/?q=spotify+bot
     
    • Thanks Thanks x 2
  18. punkinhead

    punkinhead Regular Member

    Joined:
    Feb 19, 2015
    Messages:
    431
    Likes Received:
    28
    Yeah. I've read it. It's actually not what I'm doing, though some of the setup is obviously similar (as it is with most botnets). There's no future in focusing on fake streams. I've got my sights set much deeper. :)

    FWIW, a friend of mine had their album removed from Spotify for doing what the article outlines.... and it got much worse from there. Turns out, the aggregators like CD Baby, etc have a clause in the contract that says if your stuff gets taken down for SUSPECTED fraud, they keep everything you've got coming to you. The idea is that if they get dragged into a lawsuit over your behavior, they'll use your money to cover themselves. Thing is, it's ALL the money you have coming to you... even if you have dozens of albums up across several artists, etc. And, of course, that's a minimum of a few months worth of earnings across your fiefdom since they pay on a delay. It was not a good day for him.
     
    Last edited: Feb 9, 2016
  19. BaSs_HaXoR

    BaSs_HaXoR Newbie

    Joined:
    Jul 10, 2013
    Messages:
    25
    Likes Received:
    3
    Occupation:
    Internet
    Location:
    https://pastebin.com/u/BaSs_HaXoR
    Home Page:
    Frankly, there's a lot of comments on here- and unfortunately just don't have the time to read them all, so I might repeat what someone has already said.

    Portable Devices:
    Spotify automation on portable devices?
    If you did it web-based, why not leave it there? Simply implement it by porting the JavaScript, html, css with cordova (https ://cordova.apache(dot)org/) and serverside the backend with mogoDB and php.

    Automation:
    As for automating it concurrently- even on different threads, you'd need to utilize proxies for each connection with the essential spoofing needed.
    So if you ultimate goal is to multi-thread spotify bot automate, you're going to need a different footprint for each connection; and, that's where the hardest part I think would be. As for if it can be done or not? Sure, why not?
     
  20. punkinhead

    punkinhead Regular Member

    Joined:
    Feb 19, 2015
    Messages:
    431
    Likes Received:
    28
    Thx, I'm not a backend dev by any means, so I'd have to dig into some of that and likely hire someone. Just to be clear, though, are you talking about spoofing users on mobile WEBSITE, or app? Website is no good. That's where the real disconnect comes for me. I know how to use browser based tools whether on desktop or mobile, but mobile users simply do not use the website. They use the app. Spoofing mobile website traffic is something I think I could do without too many issues, but it's of no use.

    I know the distinction may seem basic to some devs out there, but I just don't have any experience emulating apps whereas I've dug into browser automation and spoofing quite a bit lately.