Ad Fraud Targeting Korean Android Users Discovered in 43 Google Media Streaming Apps

A recent investigation into Google Play Store apps revealed a fraudulent campaign followed by some developers. The malicious practice of invisible ads that is particularly directed at Korean Android users loads ads while the device screen is switched off.

McAfee’s Mobile Research Team in an advisory stated that initially this practice might seem user-friendly, however, it violates the Google Play Developer policy regarding the display of ads. The Ad Fraud practice not only adversely affects the advertisers but also harms the users in various ways.

Apps mainly consist of media streaming (TV/DMB Player, Music Downloader), news, and calendar applications with a collective 2.5 million installations, were discovered by the team. The discovery was immediately reported to Google, which immediately removed most of the apps. The others which remain have been updated to comply with Google’s policies.

Post installation, this ad fraud library employs sophisticated delay techniques (several weeks) to avoid detection and inspection by the users. In addition, its complicated configurations can be pushed and modified using Firebase Storage or Messaging service. Thus, making it difficult to identify and analyze the fraudulent behavior of these rogue apps.

The advisory stated that during the installation process, these malicious apps seek ‘’power saving and draw over other apps’’ permission, which helps them conduct discreet activities in the background. Users should beware from granting these permissions as it makes them susceptible to phishing and ad fraud campaigns, noted McAfee.

Post the latent period, the invisible ad fraud campaign begins whenever the unaware user’s device screen is turned off.  This library registers device information and then retrieves the specific ad URL from Firebase Storage to display the ads. Such practices not only drain device battery life but also consume mobile data resources.

With the rise of smartphone malwares, it is essential that users remain vigilant while installing and granting permission to different apps.