A few days ago, Google removed popular Cheetah Mobile and Kika Tech apps from its Play Store following a BuzzFeed investigation, which discovered the apps were engaging in ad fraud. Today, as a result of Google’s ongoing investigation into the situation, it has discovered three malicious ad network SDKs that were being used to conduct ad fraud in these apps. The company is now emailing developers who have these SDKs installed in their apps and demanding their removal. Otherwise, the developers’ apps will be pulled from Google Play, as well.

To be clear, the developers with the SDKs (software development kits) installed aren’t necessarily aware of the SDKs’ malicious nature. In fact, most are likely not, Google says.

Google shared this news in a blog post today, but it didn’t name the SDKs that were involved in the ad fraud scheme.

TechCrunch has learned the ad network SDKs in question are AltaMob, BatMobi and YeahMobi.

Google didn’t share the scale to which these SDKs are being used in Android apps, but based on Google’s blog post, it appears to be taking this situation seriously — which points to the potential scale of this abuse.

“If an app violates our Google Play Developer policies, we take action,” wrote Dave Kleidermacher, VP, Head of Security & Privacy, Android & Play, in the post. “That’s why we began our own independent investigation after we received reports of apps on Google Play accused of conducting app install attribution abuse by falsely claiming credit for newly installed apps to collect the download bounty from that app’s developer,” he said.

The developers will have a short grace period to remove the SDKs from their apps.

The original BuzzFeed report found that eight apps with a total of 2 billion downloads from Cheetah Mobile and Kika Tech had been exploiting user permissions as part of an ad fraud scheme, according to research from app analytics and research firm Kochava, which was shared with BuzzFeed.

Following the report, Cheetah Mobile apps Battery Doctor and CM Locker were removed by Cheetah itself. The company additionally issued a press release aimed at reassuring investors that the removal of CM File Manager wouldn’t impact its revenue. It also said it was in discussions with Google to resolve the issues.

As of today, Google’s investigation into these apps is not fully resolved.

But it pulled two apps from Google Play on Monday: Cheetah Mobile’s File Manager and the Kika Keyboard. The apps, the report had said, contained code that was used for ad fraud — specifically, ad fraud techniques known as click injection and click flooding.

The apps were engaging in app install attribution abuse, which refers to a means of falsely claiming credit for a newly installed app in order to collect the download bounty from the app developer. The three SDKs that Google is now banishing were found to be falsely crediting app installs by creating false clicks.

Combined, the two companies had hundreds of millions of active users, and the two apps that were removed had a combined 250 million installs.

In addition to removing the two apps from Google Play, Google also kicked them out of its AdMob mobile advertising network.

With Cheetah’s voluntary removal of two apps and Google’s booting of two more, a total of four of the eight apps that were conducting ad fraud are now gone from the Google Play store. When Google’s investigation wraps, the other four may be removed as well.

Even more apps could be removed in the future, too, given that Google is demanding that developers now remove the malicious SDKs. Those who fail to comply will get the boot, too.

One resource Google Play publishers, ad attribution providers and advertisers may want to take advantage of, going forward, is the Google Play Install Referrer API. This will tell them how their apps were actually installed.

Explains Google in its blog post:

Google Play has been working to minimize app install attribution fraud for several years. In 2017 Google Play made available the Google Play Install Referrer API, which allows ad attribution providers, publishers and advertisers to determine which referrer was responsible for sending the user to Google Play for a given app install. This API was specifically designed to be resistant to install attribution fraud and we strongly encourage attribution providers, advertisers and publishers to insist on this standard of proof when measuring app install ads. Users, developers, advertisers and ad networks all benefit from a transparent, fair system.

“We will continue to investigate and improve our capabilities to better detect and protect against abusive behavior and the malicious actors behind them,” said Kleidermacher.

Yeahmobi released a statement saying they “take this very seriously and are actively looking into this issue with our partners and Google.” Other companies have not offered a comment.

Correction: CM Locker, not CM Launcher, was the name of the app removed by Cheetah itself.