Google Identifies Malicious SDKs Used as Part of an Ad Fraud

Malicious apps hiding in Google Play Store continue to pose a threat to unsuspecting users, which is why the company has recently removed two popular apps after BuzzFeed investigation proclaimed them malicious . The apps in question — Kika Tech and Cheetah Mobile — were found to be engaging in ad fraud, which forced Google to react as soon as these allegations were confirmed.

However, this was only a small victory for the company, as another new discovery caused an urgent warning. During its own investigation, Google managed to uncover as much as three malicious ad network SDKs (Software Development Kits) that are being misused an unknown entity or entities for conducting ad fraud .

Considering the fact that numerous app developers are using these SDKs in their apps, Google has started emailing them, explaining the situation, and requesting their removal. If developers do not comply, they are risking having their apps removed from the play store as well, despite the fact that developers are most likely not even aware of the malicious nature of the SDKs.

While Google did publically announce that as much as three SDKs are involved in ad fraud, it has yet to reveal them by name. However, sources familiar with the matter have stated that SDKs in questions are likely YeahMobi, BatMobi, and AltaMob.

In addition, Google also failed to share how much are these SDKs actually used in apps for Android. However, considering the serious tone of the company’s blog post , many have deduced that the situation is far from harmless.

Google’s VP and Head of Security & Privacy, Android & Play, Dave Keidermacher, stated that the company takes action whenever it notices an app that goes against established policies. This is why Google started its own investigation as soon as allegedly fraudulent apps were noticed.

As mentioned, developers were already notified of the situation and asked to take action. They were also given a short period to make necessary changes, and remove malicious SDKs before Google takes down infected apps completely.

The BuzzFeed report that was mentioned earlier found that there are around 8 apps with over 2 billion downloads in total that were found to be involved in an ad scheme. After the report was made, Cheetah Mobile removed two of the apps mentioned in the report — Battery Doctor and CM Launcher. While discussions with Google regarding these issues have already started, the issues have yet to be resolved.

Another two apps — Cheetah’s File Manager and Kika Keyboard — were removed on Monday, as they were confirmed to be using ad fraud techniques, including click flooding and click injection. The apps were basically engaging in app install attribution abuse, which allowed them to collect the bounty from app developers. These two apps alone had over 250 million installs.

Google also took an extra step and has removed the apps from its AdMob mobile advertising network. For now, four out of eight apps that are believed to be a part of the scam have been removed from the Play Store. As for the other four, Google has yet to confirm that they are actually a part of the campaign. However, even if all four remaining apps end up being removed, it does not mean that Google will stop there.

In fact, it is believed that many more apps might be removed in due time if their developers fail to remove malicious SDKs on their own. Google has been trying to minimize app-based fraud campaigns for years now, and the result of their efforts is Google Play Install Referrer API, which developers should take advantage of.