Researchers have found two Google Play Store apps that amassed a combined 1.5 million downloads over 12 months using a new form of hidden click fraud adware that would slow phones, increase overall data usage, and drain batteries.

“Idea Note: OCR Text Scanner, GTD, Color Notes” and “Beauty Fitness: daily workout, best HIIT coach” from developer Idea Master managed the impressive download figure over the course of a year completely undetected. It was only thanks to digging by Symantec that the nefarious click fraud and device infections were found (via ArsTechnica).

The two apps actually used legitimate packers — which help protect the intellectual property of Android apps. In the instance of these packers, they can change the entire structure flow of an .apk file. This made it difficult to detect the actual app behavior. It also explains why the apps managed to flow under the radar for a year without being detected.

When installed on a device, the app would send a notification using the notification drawer on the phone. Then once clicked, Toast is used to display a hidden view containing ads. Toast messages are used to show unobtrusive notifications, like when you adjust the volume.

The ads would “show” outside of the view of your screen, essentially running hidden in the background without your knowledge. The developers then set an automated ad-clicking process to generate ad revenue without the user even realizing. After discovering the practices, Symantec notified Google, who then pulled the offending sneaky adware apps from the Play Store.

This method is quite different from the recent report that found 85 apps on the Play Store forcing full-screen ads on phones. This insidious method seems far worse by comparison. It pays to be vigilant, even when installing apps from legitimate sources.

It hasn’t been a great week for Play Store security yet again, as earlier this week Kaspersky found that the immensely popular CamScanner app was pulled for allegedly spreading malware (via Android Police). It was reinstated after the devs removed the AdHub module which was found to be the culprit. To Google’s credit, they pulled the app quite rapidly after reports surfaced.

More on the Google Play Store:

FTC: We use income earning auto affiliate links. More.


Checkout 9to5Google on YouTube for more news:

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Damien Wilde's favorite gear