In brief: An investigation conducted by Buzzfeed in collaboration with Check Point, Method Media Intelligence and ESET security firms found that six apps published by DU Global were clicking on in-app ads to generate revenue illegally and without the user’s knowledge. They also lied about their developer and country of origin, don’t comply with GDPR regulation and ask for many dangerous permissions that are completely unnecessary to function. Combined, they have over 90 million downloads.

Most third-party apps rely on little banner ads that sit at the bottom of an app, while others sometimes have five-second full-screen ads. Generally, these ads are provided by Google or third party’s ad services, which pays them a small amount for displaying the ad and a larger amount when a user clicks on the ad. All six of the apps found in the investigation would periodically click on the ads and open them in the background, whether the app was open or not, using up system resources, battery life, and data.

Needless to say, if you’ve downloaded any of them: Selfie Camera, Total Cleaner, Smart Cooler, RAM Master, AIO Flashlight and Omni Cleaner – delete them now. Thankfully Google removed them from the Play Store as soon as they were alerted.

Security researchers dived in deep into Selfie Camera, which has over 50 million downloads. In addition to the ad fraud, they found that the app also committed ‘download fraud’ where the app monitored the other apps on the phone. When a new app was downloaded, Selfie Camera uploaded information about the app and claimed that they caused it to be downloaded, tricking developers into paying them. It also contains code designed to monitor battery, monitor the CPU and to view external websites.

“We explicitly prohibit ad fraud and service abuse on Google Play. Developers are required to disclose the collection of personal data, and only use permissions that are needed to deliver the features within the app,” Google told Buzzfeed. “If an app violates our policies, we take action that can include banning a developer from being able to publish on Play.”

“It’s not something you can say is in the gray area — it's a clear-cut fraudulent activity.”

- Aviran Hazum, response team leader for Check Point, an ad fraud research firm.

In addition to those six major offenders, Buzzfeed also noticed some ugly behavior in three other apps. Emoji Flashlight, with 5 million downloads, requests thirty permissions including seven dangerous ones (as defined by Google). Other flashlight apps require just two. Samsung TV Remote Control, which is developed by Peel Technologies, requests 58 permissions including 23 dangerous ones. Its privacy policy also explicitly states that they may record and upload audio at any given time without notifying the user. Lastly, Chinese-language kid’s app WaWaYaYa sends emails, usernames, real names and device information back to servers in China with no form of encryption and security.

Dangerous and fraudulent apps are a shockingly widespread problem, and just because an app appears in the Play Store or App Store doesn’t mean it can be trusted. To check if an app is trustworthy, read a couple of reviews, read the privacy policy, and see if it’s from a developer you recognize or comes up in a Google search. And most importantly: don’t give an app permissions it doesn’t need.