22 apps on the Google Play Store had a massive security problem and millions of downloads

December 7, 2018

Editorial Note: Talk Android may contain affiliate links on some articles. If you make a purchase through these links, we will earn a commission at no extra cost to you. Learn more.

22 apps on the Google Play Store had a massive security problem and millions of downloads 2

Google typically removes malicious apps from the Play Store, and that's not anything new or notable. It's their digital storefront so they should stay on top of keeping it clean from potentially dangerous apps. However, after their last round of nixing 22 apps from the Play Store, it turns out that maybe Google let some seriously malicious apps fly under the radar for a very long time.

Those 22 apps totaled around 2 million downloads on user devices, and they all had a malicious backdoor that was abused in an ad-clicking scheme. It started with the Sparkle Flashlight app, which was updated to include a secret app downloader back in June of this year after being on the Play Store since 2016, and then spready to a few other existing and new applications.

These apps would phone home to download the ad-fraud modules and would receive new commands every 80 seconds, which typically involved displaying and clicking on ads to generate revenue. To keep that hidden, the ads were displayed in a virtually nonexistent window that was zero pixels high and zero pixels wide. But even though users couldn't see the ads, those apps would quickly drain battery and use tons of data in the background, even to the point where they would reopen after being force closed so they could continue to run in the background.

To obfuscate things even further, this ad-fraud had devices spoofing their user agent strings to avoid false click detection. They would report to ad servers as several different models of iPhones as well as any of any of 249 models of Android devices.

It's good news that Google has finally pulled these apps off the store, obviously, but the fact that they were available for so long through official channels and doing something so intrusive in the background really raises some eyebrows about how Google handles its storefront. It'd be one thing if these apps had to be sideloaded from a website, but being able to get malware to rival some awful Windows viruses directly through Google Play doesn't build much confidence in anyone.

And for anyone reading this, seriously, don't install flashlight apps.

source: Ars Technica

Jared Peters Author

Born in southern Alabama, Jared spends his working time selling phones and his spare time writing about them. The Android enthusiasm started with the original Motorola Droid, but the tech enthusiasm currently covers just about everything. He likes PC gaming, Lenovo's Moto Z line, and a good productivity app.

3 comments

Mike Egan says:

December 7, 2018 at 4:18 PM

Would be really useful report if you named the apps

Reply
1. EndermanOrea says:
  
  December 8, 2018 at 1:42 AM
  
  Yeah.
  
  Reply
  1. Peter Holden says:
    
    December 10, 2018 at 8:14 AM
    
    Sorry for the delay in replying, the list of guilty apps is as follows:
    Sparkle FlashLight
    Snake Attack
    Math Solver
    ShapeSorter
    Tak A Trip
    Magnifeye
    Join Up
    Zombie Killer
    Space Rocket
    Neon Pong
    Just Flashlight
    Table Soccer
    Cliff Diver
    Box Stack
    Jelly Slice
    AK Blackjack
    Color Tiles
    Animal Match
    Roulette Mania
    HexaFall
    HexaBlocks
    PairZap
    
    Reply