The latest round of takedowns has to do with 22 apps that used a backdoor to enable developers to simulate ad clicks. This not only allowed the fraudulent devs to make cash from advertising companies, by giving them fake impressions, but also affected unknowing users with severe battery drain and bandwidth consumption, a new Ars Technica report reveals.
Sophos, the rogue apps used a “device-draining backdoor” that allowed attackers to download files in the background, without user notice. What's more, some of these apps didn't have the malware when they went live on the Google Play Store, but were "updated" later to enable the backdoor. This is a worrisome revelation, as it suggests that even apps that are initially deemed safe could become malicious further down the line with a simple update.According to the report, and based on observations from antivirus provider
"click endlessly on fraudulent ads," the Ars report states. The malicious software allowed the apps to automatically start and run in the background even after a user force-closed them, resulting in severe battery drain and bandwidth consumption.The apps were used to
The goal of this backdoor is to allow attackers to create fraudulent advertising impressions by constantly running an app and simulating ad clicks. What's more, according to Sophos, the impressions were made to appear as though they were coming from iPhone users. This was done because iPhone users are perceived to be more lucrative, due to the average spending on apps and in-app purchases on iOS being higher than on Android.
One of the most popular of the removed rogue apps is Sparkle Flashlight, which went live on Google Play sometime in 2016 or 2017 and has since garnered over a million downloads. It was updated in March of this year to open the malicious backdoor, the report states. You can find the full list of removed apps here.