Malicious Apps with 1.5 Million Downloads Found on Google Play

Security experts at Symantec have discovered malicious apps on Google Play that were engaging in click fraud by generating “invisible” ad clicks, which reduced the performance of infected devices and drained their batteries.

Which Apps Were Involved?

The click fraud features were found in a note-taking app (Idea Note: OCR Text Scanner, GTD, Color Notes) and a fitness app (Beauty Fitness: daily workout, best HIIT coach). Combined, these apps were installed over 1.5 million times and had been available on Google Play for more than a year, published by a developer named Idea Master.

How Did the Malicious Activity Work?

The malicious activity began with a message sent through the Android Notification Manager. When users tapped the notification, it triggered the hidden display of ads. Researchers explained that the malware’s developer creatively used pop-up notifications (Toast Notifications) to load ads. This method allowed the ads to be hidden from the victim by placing the notification outside the visible area of the screen.

The malware author used the translate() and dispatchDraw() functions, making the Canvas object invisible to the user. After that, an automatic clicker would click on the ads, generating revenue for the app developer.

Why Did It Go Undetected?

Analysts noted that the apps remained undetected for a long time because they used a legitimate packer, which is typically used to protect intellectual property. This made it harder for Google’s automated scanners and cybersecurity experts to analyze the APK files.

Impact on Users

Although the ads were invisible to the owners of infected devices, the malware’s activity negatively affected device performance. The battery would drain much faster, and visiting numerous ad sites generated additional mobile data traffic.