In brief: An investigation conducted by Buzzfeed in collaboration with Check Point, Method Media Intelligence and ESET security firms found that six apps published by DU Global were clicking on in-app ads to generate revenue illegally and without the user’s knowledge. They also lied about their developer and country of origin, don’t comply with GDPR regulation and ask for many dangerous permissions that are completely unnecessary to function. Combined, they have over 90 million downloads.
Most third-party apps rely on little banner ads that sit at the bottom of an app, while others sometimes have five-second full-screen ads. Generally, these ads are provided by Google or third party’s ad services, which pays them a small amount for displaying the ad and a larger amount when a user clicks on the ad. All six of the apps found in the investigation would periodically click on the ads and open them in the background, whether the app was open or not, using up system resources, battery life, and data.
Needless to say, if you’ve downloaded any of them: Selfie Camera, Total Cleaner, Smart Cooler, RAM Master, AIO Flashlight and Omni Cleaner – delete them now. Thankfully Google removed them from the Play Store as soon as they were alerted.
Security researchers dived in deep into Selfie Camera, which has over 50 million downloads. In addition to the ad fraud, they found that the app also committed ‘download fraud’ where the app monitored the other apps on the phone. When a new app was downloaded, Selfie Camera uploaded information about the app and claimed that they caused it to be downloaded, tricking developers into paying them. It also contains code designed to monitor battery, monitor the CPU and to view external websites.
“We explicitly prohibit ad fraud and service abuse on Google Play. Developers are required to disclose the collection of personal data, and only use permissions that are needed to deliver the features within the app,” Google told Buzzfeed. “If an app violates our policies, we take action that can include banning a developer from being able to publish on Play.”
“It’s not something you can say is in the gray area — it's a clear-cut fraudulent activity.”
- Aviran Hazum, response team leader for Check Point, an ad fraud research firm.