Android users who think the apps they download on the Google Play store are safe and secure would be wrong in many cases. Malware and other fraudulent apps often run rampant within the Google Play Store. Now a new report claims that seven apps from Cheetah Mobile and one from Kika Tech that have a combined 2 billion downloads via Google Play are part of a massive ad fraud scheme. The two companies are related; Kika Tech reportedly had a significant investment from Cheetah in 2016.
The ad fraud scheme was outed by research firm Kochava, and according to the researchers, these fraudulent apps could have stolen millions of dollars. Cheetah and Kika combined claim they have 700 million active users per month accessing their mobile apps. While these apps were allegedly stealing money from advertisers rather than the device owner, the device owner would notice reduced device runtime as the battery was drained by the illegitimate transactions happening in the background.
The apps that Cheetah and Kika used in the ad scheme were tracking when users downloaded new apps and used that data to claim credit for having caused the download. Many developer partners pay anywhere from 50 cents to $3 for partners to get users to download their apps; this is how the two companies were allegedly using their nefarious apps to make money. This sort of fraud is known as click flooding and click injection landing the perpetrator a bounty for app installs when they had nothing to do with the actual install.
Grant Simmons, Kochava head of client analytics, stated: "This is theft — no other way to say it." The Cheetah and Kika apps that were identified in the fraud scheme include Clean Master, Security Master, CM Launcher 3D, Kika Keyboard, Battery Doctor, Cheetah Keyboard, CM Locker, and CM File Manager.
Kochava sent Kika Tech a video of its Kika Keyboard app engaging in fraudulent practices and the U.S. General manager for Kika, Marc Richardson, said Kika "has no intentions of engaging in fraudulent practices." Richardson continued stating, "Kika Keyboard is a large, well-known app that helps its users communicate in many unique ways and we are extremely disappointed to learn about these ‘flooding and injection’ practices. We appreciate you putting this to our attention."
Kika's CEO says that the company is researching the fraudulent practices and claims any ad fraud took place without its knowledge. Kochava says that the Kika Keyboard app uses the company's proprietary software to commit the fraud and the functions are built into the app itself. Kochava's Simmons said, "No one got in there and fiddled with anything." Kochava counted both Cheetah and Kika as customers when it outed the developers for alleged click fraud. This fraud is again highlighting the lax security of the Google Play store and how slowly Google responds to fraudulent apps when discovered.
Recently, malware-laden game apps that claimed to be driving simulators of various types were found to be packed with malware and had been downloaded a combined 580,000 times. Earlier this year a QR reader app that had been downloaded over 500,000 times was found to be infected with malware.