Google has been on a roll lately, pulling shady apps from the Play Store. In its latest bout of anti-malware bans, the company removed some 20 apps from its online storefront, but not before they raked in over 2 million downloads worldwide.
The latest round of takedowns has to do with 22 apps that used a backdoor to enable developers to simulate ad clicks. This not only allowed the fraudulent devs to make cash from advertising companies, by giving them fake impressions, but also affected unknowing users with severe battery drain and bandwidth consumption, a new Ars Technica report reveals.
According to the report, and based on observations from antivirus provider Sophos, the rogue apps used a “device-draining backdoor” that allowed attackers to download files in the background, without user notice. What’s more, some of these apps didn’t have the malware when they went live on the Google Play Store, but were “updated” later to enable the backdoor. This is a worrisome revelation, as it suggests that even apps that are initially deemed safe could become malicious further down the line with a simple update.
The apps were used to “click endlessly on fraudulent ads,” the Ars report states. The malicious software allowed the apps to automatically start and run in the background even after a user force-closed them, resulting in severe battery drain and bandwidth consumption.
The goal of this backdoor is to allow attackers to create fraudulent advertising impressions by constantly running an app and simulating ad clicks. What’s more, according to Sophos, the impressions were made to appear as though they were coming from iPhone users. This was done because iPhone users are perceived to be more lucrative, due to the average spending on apps and in-app purchases on iOS being higher than on Android.
One of the most popular of the removed rogue apps is Sparkle Flashlight, which went live on Google Play sometime in 2016 or 2017 and has since garnered over a million downloads. It was updated in March of this year to open the malicious backdoor, the report states. You can find the full list of removed apps here.