With more than 100 million installs, file-sharing service 4shared is one of the most popular apps in the Android app store.

But security researchers say the app is secretly displaying invisible ads and subscribes users to paid services, racking up charges without the user’s knowledge — or their permission — collectively costing millions of dollars.

“It all happens in the background… nothing appears on the screen,” said Guy Krief, chief executive of London-based Upstream, which shared its research exclusively with TechCrunch.

The researchers say the app contains suspicious third-party code that allowed the app to automate clicks and make fraudulent purchases. They said the component, built by Hong Kong-based Elephant Data, downloads code which is “directly responsible” for generating the automated clicks without the user’s knowledge. The code also sets a cookie to determine if a device has previously been used to make a purchase, likely as a way to hide the activity.

Upstream also said the code deliberately obfuscates the web addresses it accesses and uses redirection chains to hide the suspicious activity.

Over the past few weeks Upstream said it’s blocked more than 114 million suspicious transactions originating from two million unique devices, according to data from its proprietary security platform, which the company said would cost consumers if they are not blocked. Upstream only has visibility in certain parts of the world — Brazil, Indonesia and Malaysia to name a few — suggesting the number of observed suspicious transactions was likely a fraction of the total number.

Then in mid-April, 4shared’s app suddenly disappeared from Google Play and was replaced with a near-identical app with the suspicious components removed.

At the time of writing, 4shared’s new app has more than 10 million users.

Irin Len, a spokesperson for 4shared, told TechCrunch that the company was “unaware” of the fraudulent ad activity in its app until we reached out, but confirmed the company no longer works with Elephant Data.

Len said the old app was removed by Google “without reason,” but its suspicions quickly fell on the third-party components, which the company removed and resubmitted the app for approval. But because their old app was pulled from Android’s app store, 4shared said it wasn’t allowed to push an update to existing users to remove the suspicious components from their devices.

Google did not respond to TechCrunch’s request for comment.

We sent Elephant Data several questions and follow-up emails prior to publication but we did not hear back.

4shared, owned by New IT Solutions based in the British Virgin Islands, makes a brief reference to Elephant Data in its privacy policy but doesn’t explicitly say what the service does. 4shared said since it’s unable to control or disable Elephant Data’s components in its old app, “we’re bound to keep the detailed overview of which data may be processed and how it may be shared” in its privacy policy.

Little else is known about Elephant Data, except that it bills itself as a “market intelligence” solution designed to “maximize ad revenue.”

The ad firm has drawn criticism in several threads on Reddit, one of which accused the company of operating a “scam” and another called the offering “dodgy.” One developer said he removed the components from his app after it began to suffer from battery-life issues, but Elephant Data was “still collecting data” from users who hadn’t updated their apps.

The developer said Google also banned his app, forcing him to resubmit an entirely new version of his app to the store.

It’s the latest app in recent months to be accused of using invisible ads to generate fraudulent revenue. In May, BuzzFeed News reported similar suspicious behavior and fraudulent purchases in Chinese video app VidMate.