Google removed two popular Cheetah Mobile and Kika Tech apps from its Play store today after finding “deceptive and malicious behavior” that was first outlined in a BuzzFeed News report.

Google said an internal investigation found that CM File Manager and the Kika Keyboard contain code used to execute ad fraud techniques known as click injection and/or click flooding. The activity was first documented in seven Cheetah apps and one from Kika Tech by Kochava, an app analytics and attribution company that shared its research with BuzzFeed News.

A Google spokesperson said it continues to investigate the apps, and that it expects to take additional action.

“We take these allegations very seriously and our Google Play Developer policies prohibit deceptive and malicious behavior on our platform. If an app violates our policies, we take action,” said a statement from Google.

Cheetah and Kika can both appeal the decision, the company said. Google also appears to have removed both apps from its AdMob mobile advertising network, though the company did not comment on the apps' status. (AdMob was not used to execute click injection/click flooding.)

The removal of these apps is a huge blow to Cheetah and Kika, two major Chinese app developers who together have hundreds of millions of monthly active users. It also highlights how mobile apps can abuse user permissions and engage in malicious activity without users’ knowledge.

The two removed apps, CM File Manager and the Kika Keyboard, have been downloaded from the Google Play store more than 250 million times, according to app analytics service AppBrain. The Kika Keyboard is the top keyboard app in the Play store, and Cheetah Mobile is one of the biggest developers of apps in the entire Android ecosystem, when measured by downloads.

Two other Cheetah apps, Battery Doctor and CM Launcher, were removed from the Play store last week after BuzzFeed News published its story. Cheetah said it removed them on its own accord, but the apps have not yet returned to the store.

Cheetah issued a press release on Tuesday, the day after its app was removed, to reassure investors that the removal of CM File Manager would not affect its revenue.



"File Manager is an immaterial app in terms of revenue contribution to the Company as it generated less than $58,000 in the third quarter of 2018, which accounted for 0.03% of the Company's total revenues in the same period," the release said.



The company did not dispute Google's findings, but said it "takes the current matter very seriously and is in continuous communication with Google Play to resolve any issues that may arise."

Kika Tech did not respond to a request for comment.



The behavior identified by Google and Kochava enabled the apps to falsely receive credit for helping cause a user to download and open other apps. App developers pay a fee to partners that help drive new downloads of their apps. The Cheetah and Kika apps were claiming a portion of these fees even when they played no role in an installation. Google refers to this as “install attribution abuse.”

This news comes as Cheetah has been issuing increasingly aggressive press releases over the past week to question the findings from Kochava and reporting by BuzzFeed News. Cheetah initially said it “takes the issues raised in the article very seriously,” while shifting blame to third-party software development kits (SDK) installed in its apps.

Then, after suffering massive declines in its stock price, the company issued another press release to say it “has neither the intention or ability to direct such advertising platforms to engage in the alleged ‘click injections.’” It threatened legal action against Kochava “and the responsible persons that the Company believes have generated and disseminated those untrue and misleading statements.”

The company issued a third, more detailed release that it said contained evidence that “Kochava's testing methods contained fundamental mistakes, leading to a number of false or misleading conclusions.”

Kika Tech also issued a release to say the claims in the BuzzFeed News story “are false and hold no merit.” (It initially told Buzzfeed News it was “extremely disappointed to learn about these ‘flooding and injection’ practices," adding, "We appreciate you putting this to our attention.”)

As the operator of the Play store and a major monetization partner for Kika and Cheetah, Google had to decide whether to accept Kochava’s research or the responses from Cheetah and Kika. After spending more than a week on its own investigation, today’s app removals signal Google's agreement with Kochava on the behavior within at least two apps. Google said it found native code within these two apps that was used for install attribution abuse, which contradicts the claim from Cheetah that a third-party SDK was responsible. Google also said it expects to take additional action as it finalizes its investigation.



“Kochava is pleased to see that Google has validated Kochava’s recent findings with respect to Cheetah Mobile and Kika Tech," Grant Simmons, the head of client analytics for Kochava, told BuzzFeed News. "Advertisers need to be able to operate in an environment free from [ad] fraud. Kochava intends to continue connecting the dots of fraud across the adtech ecosystem so that our advertiser clients can spend with confidence.”

This news comes after Cheetah also received negative attention last week in China for its Cheetah Browser app. The Shanghai Consumer Council raised concerns about the level of user permissions required by the app, including the ability to access outgoing calls and text messages. Cheetah responded with a statement in Chinese to say it updated the app in question.