The Google Play Store is supposed to be a safe haven, a walled garden designed to protect us from the dangers of malicious, unvetted apps and software that would do our smartphones harm. Although the Play Store has a robust anti-virus system in place, it appears that a new wave of malevolent applications has breached the Play Store undetected.

Fraud protection researchers at eZanga have uncovered hundreds of apps installed on Android smartphones around the world that are engaged in fraudulent advert click revenue generation. According to the company, more than 300 identified apps in the Store could cost the industry a staggering $6.5 billion in lost advertising revenue this year.

This issue was first uncovered after eZanga’s ad fraud solution Anura detected ad click attempts from a number of Play Store apps and closely monitored two wallpaper apps called Lovely Rose and Oriental Beauty. During a 24-hour period, the test phones with the app installed remained in sleep mode yet the apps requested a total of 3,061 ads and made 169 successful clicks.

As of June 16, the company has detected 317 of these apps on the Play Store, with 1,300 further malicious apps available from other sources. According to the whitepaper, even one $0.015 cost-per-click (CPC) ad payment per hour from these 317 active apps could cost advertisers between $62,000 and $214,000 a day, and these apps appear to be making many more requests than that. eZanga estimates that these apps have accumulated between 4.1 and 14.2 million installs so far, with the most popular app – Clone Camera – generating almost a million installs on its own.

The research identified a number of Play Store developers releasing multiple applications with the same characteristics. Some of those named include Attunable, Classywall, Firamo, FlameryHot, NeonApp, Goopolo, Litvinka Co, Livelypapir, Tuneatpa Personalization, Waterflo, X Soft, and Zheka.

Interestingly, the list also identifies the hugely popular ES File Explorer/Manager PRO as an app exhibiting similar behaviour. However eZanga has clarified to us that the malware is only found inside a cracked APK version of the app and not the legitimate copy that can be bought from the Play Store. The researchers tested both versions and found that only the cracked version has the malicious code inserted into it. If anyone needed a reminder why it’s wise to avoid cracked apps, here it is.

What are these apps doing?

While we’re used to hearing about malware and apps that target device security and compromise user data, this new wave of ad fraud apps are more subtle, simply using the host device to generate ad revenue for the parent company. In a nutshell, these apps are requesting ads and pretending that the app user clicked them, even when your smartphone is sleeping. This generates a small amount of ad revenue for the app developer, without any real person ever having seen or clicked on the ad. On a mass scale though, the profits can add up quickly.

So far, these type of bot apps are mostly downloaded as live wallpapers and other free cosmetic applications that the user will install and likely forget about. Most importantly they’re free too, which makes it easier for them to pick up casual installs. These bots are also now branching out into camera apps and web browsers too though.

These apps are particularly insidious as they don’t present any obvious issues for the user. You won’t suddenly be inundated with intrusive ads or find new apps automatically downloading themselves onto your device, or any other telltale signs of malware. Remaining inconspicuous is the key to generating revenue for the developer.

What’s the harm?

However these apps present some serious problems, both to us consumers as well as to other app developers and advertisers. For us users, these apps drain batteries faster and eat up our data, even while our smartphones are sleeping. Consumers may also begin to see adverts across various free to use services that don’t relate to their personal preferences, as personalized advertising profiles become warped by random bot clicking.

Infected consumer devices will suffer from increased battery and data usage, while advertisers and app developers will see the usefulness and profitability of ads fall.

Furthermore, these apps are still a type of malware and there’s no telling if they may become more aggressive in the future, potentially selling off other information collected by the application. This is particularly troublesome as these bots branch out into web and camera applications.

For the wider industry, this trend threatens to undermine both the usefulness and profitability of advertising. For companies looking to sell products, advertising budgets are simply being transferred to fraudulent accounts, which reduces makes meaningful advertising more expensive. Not to mention that the distortion of advertising profiles means that efficiently targeting advertising becomes more difficult, again raising the costs of reaching a target audience.

Advertising revenues per click are continually falling, and bots that reduce the effectiveness of advertisements means that this price could fall even further. That has a big knock-on effect for the revenue streams of a number of free services and apps, ranging from news sources to games. This will in turn dissuade development of further apps and products that would otherwise rely on advertising revenue, making places like the Play Store a less vibrant place.

In summary

Although this these type of stealthy ad fraud apps may not be entirely what we’re use to when it comes to smartphone malware, they’re by no means any less problematic than more typical malware. With the number of detected apps increasing notable in just a few weeks, there’s a danger that this could balloon into an expensive problem for advertisers and developers.

eZanga states that it will be informing Google about the issue immediately, so hopefully the company can get on top of this problem before it becomes more widespread. In the meantime, it might be best to steer clear of any poorly rated cosmetics apps, deny these type of apps access to background data, and to check your current installs against the list of developers above.