Google typically removes malicious apps from thePlay Store, and that’s not anything new or notable. It’s their digital storefront so they should stay on top of keeping it clean from potentially dangerous apps. However, after their last round of nixing 22 apps from thePlay Store, it turns out that maybe Google let some seriously malicious apps fly under the radar for a very long time.
Those 22 apps totaled around 2 million downloads on user devices, and they all had a malicious backdoor that was abused in an ad-clicking scheme. It started with the Sparkle Flashlight app, which was updated to include a secret app downloader back in June of this year after being on the Play Store since 2016, and then spready to a few other existing and new applications.
These apps would phone home to download the ad-fraud modules and would receive new commands every 80 seconds, which typically involved displaying and clicking on ads to generate revenue. To keep that hidden, the ads were displayed in a virtually nonexistent window that was zero pixels high and zero pixels wide. But even though users couldn’t see the ads, those apps would quickly drain battery and use tons of data in the background, even to the point where they would reopen after being force closed so they could continue to run in the background.
To obfuscate things even further, this ad-fraud had devices spoofing their user agent strings to avoid false click detection. They would report to ad servers as several different models of iPhones as well as any of any of 249 models of Android devices.
It’s good news that Google has finally pulled these apps off the store, obviously, but the fact that they were available for so long through official channels and doing something so intrusive in the background really raises some eyebrows about how Google handles its storefront. It’d be one thing if these apps had to be sideloaded from a website, but being able to get malware to rival some awful windows viruses directly through Google Play doesn’t build much confidence in anyone.
And for anyone reading this, seriously, don’t install flashlight apps.
source: Ars Technica