Symantec Found Ad-Clicking Malware In Two Popular Android Apps

Privacy Cyber Security AH Nov AH 2019

Symantec has discovered a new scam in two popular Android apps. Two apps with over 1.5 million downloads have been using a new scam method to stealthily click ads on users’ devices.

These two apps have been doing so for almost a full year before they were discovered. These two apps are “Idea Note: OCR Text Scanner, GTD, Color Notes” and “Beauty Fitness: daily workout, best HIIT coach”.

The first of these two apps is a notepad app, while the second one is a fitness application. Symantec has informed Google of this behavior, and both apps have been removed from the Play Store.


Symantec says both apps come from the same developer

Both of these applications came from the same developer, Idea Master, says the company. Symantec notes that Android packers can change the entire structure and flow of an Android Package Kit (APK) file. This complicates things for security researchers who want to decipher the APK’s behavior.

Symantec also notes that this also explains the ability for developers to remain on the Play Store performing malicious acts under the radar, like was the case in this example.

Symantec has also revealed how this whole scam works. It says that the attack starts with a notification in the notification drawer on the device. Once a user clicks on the notification, a toast message is used to display a hidden view containing advertisements.


For those of you who do not know, Toast messages are used to display unobtrusive notifications that appear on the current activity UI screen. For example, if you’ve altered some system settings, you may get notified by a Toast message.

Once that is done, a Canvas is being created outside the device’s viewable display. So, technically, the ads are drawn on the device. This allows ads to be displayed freely, along with any other malicious content. The app can then initiate an automated ad-clicking process, and thus produce revenue for whoever deployed it.

This malware can impact your phone’s performance

As these ghost clicks take place to generate ad revenue, impacted devices will be impacted in a number of ways. They will suffer from battery draining, slowed down performance, and a potential increase in mobile data usage.


As already mentioned, the two apps were undetected for almost a year, and have managed to gather roughly 1.5 million users in that time.

The apps are now gone, but if you’ve used them in the past year or so, and experienced issues with your phone’s performance, now you know why.

That is pretty much all the information that Symantec shared in its press release.