It’s happened again. Another batch of apps that exhibit malicious behavior has been found and pulled from the Google Play store — but not before they were downloaded more than 2 million times. That batch, according to a new Ars Technica report, includes 22 titles like the flashlight app Sparkle Flashlight, which was downloaded more than 1 million times over the last year or so. And it follows other recent episodes of this same kind of discovery, such as the one we told you about recently that involved Google pulling 13 apps that install malware on user devices and had been downloaded over 500,000 times.
That problem with this latest batch of bad apps was that researchers found a “device-draining backdoor” in the apps that allowed them to quietly download files from a server controlled by an attacker. For its report, Ars relied on a blog post published today from antivirus provider Sophos, which notes among other things that Sparkle Flashlight and two other apps were updated to include the secret downloader towards the beginning of this year.
The rest of the group of 22 apps showed up in the Play store sometime after that, with the downloader included right away. Google apparently removed them about a week ago. From Ars’ report: “They were being used to click endlessly on fraudulent ads. ‘Andr/Clickr-ad,’ as Sophos has dubbed the family of apps, automatically started and ran even after a user force-closed them, functions that caused the apps to consume huge amounts of bandwidth and drain batteries.”
What was happening here was the advertisers were being given false impressions that their ads were being clicked on in significant numbers from seemingly genuine users. But not only that. According to Sophos, server data showed that the fraudulent clicks were made to seem like they were coming from iPhones. So in addition to making it seem like the ads were getting clicked on a lot, as Ars points out, the presumption here is that the people behind this scam may have been able to secure higher prices from advertisers who will oftentimes pay more when iPhone users (who are believed to be more lucrative) see their ads.
This is the latest in a string of reports about these kinds of discoveries. And reaction to this news will likely include criticism that Google doesn’t do a good enough job securing its app marketplace. Worth pointing out is that Ars concludes its piece with this counter to that point: Even if you concede the company is not doing a good enough job here, Google is nevertheless moving quickly to pull these apps once they’re reported. So, there’s that.