This article originally appeared in Threat Post on November 27, 2018.
Eight popular Android apps are embezzling from the ad ecosystem on a widespread basis, according to allegations.
Cheetah Mobile is finding itself in a swirl of media attention after being accused of developing mobile apps that contain deliberate ad fraud features. But the mobile giant says it didn’t do it.
The Chinese developer, which is listed as a top provider in Google Play’s tool app category, offers security, cleaning, personalization and safe-browser software for Android. Researchers from app analytics company Kochava claim that seven of these apps, along with one from a company called Kika Tech, have likely stolen millions of dollars as part of a “click injection” scheme.
The researchers allege that Cheetah Mobile’s Battery Doctor, Cheetah Keyboard, Clean Master, CM File Manager, CM Launcher 3D, CM Locker and Security Master apps are engaged in the fraud, as is Kika Tech’s Keyboard app. Together these apps have been downloaded more than 2 billion times.
Click injection takes advantage of the fact that some app developers pay a reward to an ad network if the ad that it serves leads to a user downloading and installing their app. The reward is paid to the entity responsible for the “last click” – the last thing a user clicks on before the app downloads. These bounties can total anywhere from a few cents to as much as $3 per app install, according to Kochava, and can quickly accumulate depending on the popularity of a given app.
Kochava researchers claim that Cheetah Mobile and Kika Tech are gaming this system by building in user permissions to some of their Android applications that allow their software to see when new apps are downloaded to a device. When a download is detected, the code will check to see if installation bounties are available for the download; and if so, it will send off a bogus “click” with fake app attribution information in order to capture the reward.
In Kika Tech’s case, there’s a slight twist, according to the allegations: The researchers said that the app listens for Google Play store searches (even when the keyboard isn’t active), checks for install bounties for apps related to those searches, and then sends off fraudulent clicks/attribution info to claim the reward for any future installations.
The victims of this are mainly the ad networks that should have gotten the rewards; but end users may find their batteries drained and data usage soar as this goes on. This kind of theft is big business. According to a Q1 mobile ad fraud report from AppFlyer, financial exposure totaled $800 million in the quarter, a 30 percent increase over last year thanks to the growth of the mobile ecosystem. Fraudulent installs made up 11.5 percent of all paid installs, the report found, so total losses were around $92 million.
Cheetah Mobile vigorously denies wrongdoing; in a website statement it said that the issue actually lies with the third-party software development kits (SDKs) that it uses to integrate with ad networks.
“Cheetah Mobile works with almost all major ad platforms in the advertising industry,” it said. “Each platform supplies ads through its own SDK integrated with the company’s apps, then the SDKs decide which ads to display. The SDKs and third-party attribution platforms work together to determine attribution of app installations. Cheetah Mobile’s apps themselves are not part of that process.”
It also said that it’s in communication with all SDK providers to investigate the allegations.
For its part, Kika Tech gave a media statement to Threatpost, intimating that the issue comes from external tampering.
“At this time, Kika is extensively researching the critical issues you raised internally,” the statement reads. “If in fact, code has been placed inside our product we will do everything to quickly and fully rectify the situation and take action against those involved. For now, we do not have further comments as we begin our internal research.”
Kochava however has a different assessment of who’s responsible. Its research claims that the SDK involved in the fraud for Cheetah Mobile apps is actually “owned and developed by Cheetah.” And, Kochava and an additional analysis from Method Media Intelligence commissioned by BuzzFeed found that the Kika Keyboard app fraud is carried out via the company’s own proprietary software.
Kochava said that the code actually has built-in capabilities that allow them to pass the attribution information through several ad networks, in order to camouflage the fraud. Kika Keyboard alone spreads attribution claims across more than 20 ad networks, Kochava said, going so far as to use fake app names.
“No one got in there and fiddled with anything,” Grant Simmons, the head of client analytics for Kochava, told BuzzFeed.
However, Chris Olson, CEO of The Media Trust, told Threatpost that proprietary software can include third-party code – and thus perhaps unknown weaknesses.
“Developers that want to steer clear of accusations of fraud, data breaches, or user data privacy violations should get to know all the third parties they do business with, track all of what these third parties do on their mobile apps, and enforce their digital policies with these third parties,” he noted. “As data regimes proliferate, including the California Consumer Privacy Act and the proposed federal consumer data privacy bill that would imprison CEOs for misleading regulators about data privacy practices, ensuring these third parties work within those digital policies is fast becoming a key revenue strategy in a changing regulatory landscape.”
It’s a he said/she said situation for now, but Rusty Carter, vice president of product management at Arxan, said that where the responsibility lies is clear.
“Everyone pointing at each other, but it’s a simple answer: The publisher of the app someone is using is responsible for everything occurring within and from that app (and is responsible for the protection of data and personal information),” he told Threatpost. “Whether the SDKs have their own vulnerabilities, or even malicious behavior, the publisher of an app must be responsible and accountable for any activities of their apps. Just as the public expects an auto manufacturer to be responsible for the safety and performance of the vehicle and all the components which make up a vehicle (which in many cases come from third parties), the responsibility of fraudulent behavior of any component of an app are the responsibility of the publisher, so that if/when something is discovered, they take action immediately to remedy and prevent future issues.”
For its part, Google said that it’s investigating the claims.
Cheetah Mobile did not respond to requests for comment on this story.
If anything, the story shines a light on the rampant nature of mobile ad fraud. “Fraud in general is becoming more common, and in areas where there is the possibility we can expect unscrupulous actors to take advantage of it,” Carter told Threatpost. “There is a tremendous amount of money in the advertising/app referral ecosystem, and weaknesses or vulnerabilities in the system may be silently ignored until the major players have ways to fix the vulnerabilities without affecting their revenue.”