Android apps with 1.5 million downloads used in covert ad-clicking scheme: Report

More than a million Android users may have unknowingly allowed their smartphones to be exploited in a malicious ad-clicking scheme, security researchers warned Thursday.

Symantec engineers May Ying Tee and Martin Zhang said they recently discovered a “cunning” new tactic used to covertly click ads on the devices of Android users who had installed either of two popular apps.

Each of the apps – a notepad app called “Idea Note: OCR Text Scanner, GTD, Color Notes” and a fitness app called “Beauty Fitness: daily workout, best HIIT coach” – silently loads ads on the devices of users and then automatically clicks those ads to generate revenue, according to the engineers.

The tactic is noticeably different from similar schemes because the ads are loaded outside the device’s viewable display and effectively hidden from the user, said the Symantec team.

“Using this tactic allows advertisements, and any other potentially malicious content, to be displayed freely,” they wrote in a blog post. “The app can then initiate an automated ad-clicking process that produces ad revenue.”

“As threat actors generate ghost clicks and ad revenue, impacted devices will suffer from drained batteries, slowed performance and a potential increase in mobile data usage due to frequent visits to advertisement websites,” the engineers warned.

Both apps were released by the same developer, Idea Master, and had been downloaded a combined total of more than 1.5 million times from Google’s Play store before being brought to company’s attention recently and subsequently removed.

Reached for comment, a Google representative pointed to a previous announcement regarding ongoing efforts taken to rid the Play store of malicious content, including an automated scanning process that the company says scans billions of apps daily for abuse.

Idea Master did not immediately return messages requesting comment.

Google separately announced Thursday that the company will start rewarding researchers who report certain malicious Android apps, meanwhile. Individuals who report apps in which user data is used, sold unexpectedly or repurposed in an illegitimate way without user consent will be eligible to receive a bounty of up to $50,000, Google said.