Eight Android apps are said to be using user permissions as part of a scam that may have stolen millions of dollars. The tactic was debunked by the app analysis and assignment firm Kochava, which shared the discovery with the American website Buzzfeed News.
According to the company, together, the apps add up to two billion downloads on Google Play. Seven of them belong to Chinese manufacturer Cheetah Mobile, including the popular Clean Master space optimization and cleaning tool, which brings together more than a million users. The other program involved would be from the company Kika Tech, which would have received a large investment from Cheetah in 2016.
Secret friend app: learn how to draw by mobile phone with Paper
Google Play app fraud does not directly affect users Photo: Luciana Maline / TechTudo
Want to buy cell phones, TV and other discounted products? Meet Compare TechTudo
The scam does not affect users, but other application companies, which participate in a legal strategy to recruit new users. In this way, developers pay a reward of $ 0.50 (about $ 1.93) to $ 3 (approximately $ 11.61) for partner apps that help drive new installs of their apps. Kochava found that Cheetah Mobile and Kika Tech tracked when users of their software downloaded other programs from the Google store and improperly claimed the credit for the download. The illegal practice is called flood and click injection.
That's robbery – there's no other way to say it, "Grant Simmons, Kochava's head of customer analysis, told BuzzFeed News." These are real companies doing this – on a scale – not a random person in your basement, "he said. on the severity of the episode, Simmons claims to have seen this behavior in other apps run by Chinese companies and believes it?s a kind of business tactic.
|App||Number of downloads||Company|
|Clean Master||1 billet||Cheetah Mobile|
|Security Master||540M||Cheetah Mobile|
|CM Laucher 3D||225M||Cheetah Mobile|
|Kika Keyboard||205M||Kika Tech|
|Battery Doctor||200M||Cheetah Mobile|
|Cheetah Keyboard||105M||Cheetah Mobile|
|CM Locker||105M||Cheetah Mobile|
|CM File Manager||65M||Cheetah Mobile|
Some of the Cheetah apps involved in the complaint are among the most popular productivity apps on Google Play. In the past 30 days alone, these apps have been downloaded more than 20 million times, according to data from the AppBrain analysis service, reports Buzzfeed News. Kika Keyboard is already the most popular keyboard application in the store and claims to have 60 million downloads per month.
According to Method Media Intelligence ad fraud investigator CTO Praneet Sharma, affected programs require a wide range of user permissions, which even include the ability to track keystrokes or know when other apps are downloaded. For Sharma, Google and other companies that operate similar stores should not accept programs that require a high level of permissions.
Clean Master is among the apps involved Photo: Divulgao / Clean Master
Sought by Buzzfeed, Kika Tech representatives showed surprise to learn that the Kika Keyboard app would be involved in click injection practices. According to a statement by the company's CEO, Bill Hu, to the website, these activities would have taken place without the company's knowledge.
Right now, Kika is researching extensively the critical issues that you have raised internally. If, in fact, the code was placed inside our product, we will do everything to rectify the situation quickly and totally and take action against those involved, he said. "For now, we don't have any more comments until we start our internal research". Despite the allegations, Kochava and Method Media Intelligence, in an additional analysis for Buzzfeed, found that the Android keyboard application performed the flooding and injection process through functions created directly in the application.
Also sought after by the North American page, Cheetah Mobile said it believed that third-party software development kits, the SDKs, integrated into its applications, would be responsible for the click injection.
We work with many traditional advertising platforms through the integration of the SDK. (…) The advertising platforms and the independent arbitration parties work together to decide the allocation of application installations, and we are not part of that process. We will continue to examine the matter and will update it if we have more information, "said a company spokesman in a statement.
However, according to Kochava, the SDK involved in the fraudulent activity developed and owned by Cheeta and third parties. According to Buzzfeed, after the complaint, Cheetah Mobile removed the CM Locker and Battery Doctor apps from Google Play. In a statement, he said that the first has been relaunched and the second will be soon, without making it clear when.