Security research firm eZanga has found upwards of 300 malicious apps in the Play Store that rack up fraudulent ad clicks. These apps are estimated to have cost advertisers around $6.5 billion in total thus far. The apps seem to be created and submitted to the Play Store by bots, and include apps such as Tuneatpa Personalization, Attunable, and Classywall. The apps are all free, and the download count for these ranges from the low thousands to well into the hundreds of thousands. eZanga also found a cracked version of ES File Explorer Pro floating around with a similar functionality, but the malicious code is indeed absent from the Play Store version of the app. As of this writing, eZanga has stated their intent to inform Google of the malicious apps, so they should be removed from the Play Store soon.
While apps such as these may not do anything usually associated with malware, such as crashing a device or stealing user data, the fact that they use surreptitious methods to achieve their goals means that they could easily try to do something else, and possibly succeed. Still, the motivation for such an app is not hard to fathom; these apps can generate hundreds or even thousands of requests per active device per hour. Even at low per-click rates, this can spell quite a payday, if a malware app developer can get away with it for long enough without Google or the advertiser finding out.
There are other negative side effects to these apps for users. The apps running in the background all the time will increase a device’s RAM consumption and CPU load, and decrease battery life. This means that devices could not only see less battery life, but could also slow down, run out of memory and crash, or even overheat more easily, potentially causing permanent hardware damage. On top of that, the extra data use caused by these requests could add up over time, for users on tiered data plans who may only have a few gigabytes per month at their disposal. The Play Store has been proven quite often to be far from infallible in protecting users from such apps, so even if you keep your app downloading strictly inside Google’s garden, it pays to be vigilant. Be wary of free apps that seem cheap or generic, and never grant any apps more permissions than you would think they need to perform their primary function without sufficient explanation from the developer. Running apps through a malware checker could also be a prudent measure; Google’s own Verify Apps tool is feature-rich and reliable, but it’s not perfect, and a second opinion can’t hurt when device security is at risk.