Google has struggled for years to keep malicious applications from sneaking into the Play Store, but a new round of takedowns is highlighting the challenge of getting the problem under control. At the beginning of March, Google removed 56 applications that appeared benign but were tainted with adware. They'd been downloaded more than a million times before.

While more than half the apps claimed to be benign utilities like calculators, translation tools, or cooking apps—common adware smugglers—24 were specifically targeted at kids. These flashy offerings, like puzzles and racing games, are a particularly pernicious way for attackers to get malware onto more victim devices. Researchers from the security firm Check Point disclosed findings about the apps to Google as part of ongoing research into how hackers conceal and distribute malware on Google Play. And they're publishing details about the adware today.

"Since parents have the tendency to give their devices to their children to play with, luring children to install malicious applications is a prominent attack vector to reach devices of adults," says Aviran Hazum, manager of mobile research at Check Point. "Most children don't have the understanding of vetting out applications."

Adware is a longstanding mobile menace, but attackers have gotten particularly aggressive about disseminating it in recent months. The threat-detection firm Malwarebytes found in an annual study that adware "reigned supreme" in 2019 as the most common threat on Android devices, Macs, and Windows PCs. Earlier this month, the antivirus firm Avast published findings that adware specifically accounted for 72 percent of all Android malware between October and December last year. And beyond Android, every platform seems to be scrambling to reduce the risk to users. Microsoft announced at the end of February, for example, that its Edge browser would start specifically scanning for and blocking adware downloads by default.

The adware in the tainted apps was specifically designed to undermine Android's MotionEvent mechanism. App developers use this to recognize movements like taps and multifinger gestures and gather information about them, like their coordinates on the screen in two- and three-dimensional space. MotionEvent helps apps interpret these user inputs and respond accordingly. The adware, which Check Point calls Tekya, was manipulating these inputs to simulate users tapping ads.

The researchers observed Tekya creating false clicks to generate revenue from ad networks including Facebook, Unity, AppLovin', and Google's AdMob. Adware manipulates the ad ecosytem to make money for hackers by making it seem like an army of users have viewed and interacted with ads. Many of the 56 infected applications Check Point identified weren't just benign-looking utilities but actually clones of legitimate applications meant to confuse users and raise the chance that they would accidentally download the malicious version—like a fake Stickman game and versions of Hexa Puzzle and Jewel Block Puzzle. The group also included a malicious PDF reader and a Burning Man-themed app.

Tekya hides its abusive functionality in a foundational layer of applications. Known as "native code," this part of software packages is notoriously difficult to vet for malicious components.

Google confirmed to WIRED that it removed the apps earlier this month. The company has worked diligently to curb the influx of malicious applications in Google Play—conducting large-scale coordinated takedowns and developing expanded detection tools to catch more lemons during the Play Store vetting process. The company has even enlisted outside help in the war on malicious apps.

With more than 3 million apps in Google Play and hundreds of new submissions each day, though, it is still challenging for Google to spot everything. And as long as it's relatively easy for fraudsters to build and spread malicious apps, they're going to keep coming.

More Great WIRED Stories