Popular Google Play Store apps abuse permissions and commit ad fraud

The host of popular Android applications from a major Chinese developer, including a selfie app with over 50 million downloads, have committed large-scale advertising fraud and abused user permissions, revealed a BuzzFeed News survey on popular Android apps. In several cases, the applications took steps that concealed their connections to the developer, the DU group, to the users, without clearly disclosing that they were collecting and sending data to China. The survey also raises questions about Google's control over Play store apps to combat fraud and data collection practices.

DU Group is a Chinese application developer that boasts more than one billion users worldwide and who has been separated from Baidu, one of the largest technology companies in China, last year. At least six of the DU apps, which have more than 90 million downloads on the Google Play Store, fraudulently click ads to earn revenue, and at least two of them contain code that can be used for To engage in another form. of advertising fraud, according to the findings of researchers in security and advertising fraud, Check Point and Media Intelligence Method.

DU applications were identified after BuzzFeed News compiled a list of nearly 5,000 popular apps from the Google Play store, along with related information such as developer name, number of installs, and permissions requested. Applications requesting an excessively high number of user permissions or deemed potentially "dangerous" by Android have been provided to researchers from several data analysis and security companies. (For a more detailed description of the methodology, see the bottom of this article.)

The problem is not limited to DU Group. Among the other Android apps identified by BuzzFeed News with a high number of unnecessary permissions, let's mention an extremely popular TV application that allows you to use the microphone of a phone to record the sound when a user is watching TV, a Chinese language children's app that sends out personal information without any information. encryption on servers in China and a flashlight application requiring dozens of unnecessary and potentially invasive permissions.

The results demonstrate how Google's Play Store, the world's largest app store, has been exploited by developers who easily hide who they are, offer apps with invasive permissions, and use these permissions to commit fraud. advertising – while collecting huge sums. user data. The result is an easily exploitable application ecosystem for abusing users and stealing money from advertisers.

Google told BuzzFeed News that it had blacklisted the six DU group apps found to be committing advertising fraud. This means that they can no longer use Google's advertising products to make money.

"We explicitly ban advertising fraud and abuse of services on Google Play. Developers are required to disclose the collection of personal data and only use the necessary permissions to integrate the features of the application, "said a company spokesperson in a statement. If an app violates our rules, we take steps that may include the ban for a developer to publish on Play. "

The DU applications in question also violate the Play store's policy against applications "representing or hiding their property", as they do not reveal any connection to the DU group to users.

After initially stating that the applications in question would remain in his store during the investigation, shortly before the publication of this article, a Google spokesman confirmed that they had now been removed. The company would not say whether it plans to take action against the entire DU group.

On the eve of the day Google answered BuzzFeed News' questions about app permissions and the concealment of developer identity, the company also released a blog outlining a new approach to user permissions and action targeting to "prevent bad faith developers from playing on our systems". it will hire more people to evaluate apps on the Play Store.

DU Group has not responded to several emails requesting a comment.

Richard Kramer, senior analyst at Arete Research, told BuzzFeed News that Google was not doing enough to protect users.

"You can not separate the behavior of the AU – from Baidu a year ago, in which they still have 34% – of the American parent," he said in an email. "Advertising fraud is simply the norm in China (and for many other applications), and …. Google should do a lot more to prevent it, even if it would significantly reduce sales. They can not pretend to ignore or deny the problem.

DU's advertising fraud follows previous BuzzFeed News reports that two other well-known Chinese Android application developers, Cheetah Mobile and Kika Tech, were abusing user permissions to commit advertising fraud.

In response to this investigation, Senator Mark Warner of Virginia said that Chinese mobile application companies pose a risk to national security because of their voracious data collection and Chinese laws that make them "ultimately accountable to Communist Party".

"All this information is in the data repositories in China. Beyond [ad] fraud, just all the personal information that is collected about Americans "is a problem, he said.

Grant Simmons, head of customer analytics for the Kochava app analytics and attribution company, said the behaviors identified in this survey often occur in the background when a user does not. not use the application in question. He compared this to "having downloaded an application that functions as a Trojan for data collection purposes."

"End users are not aware of how generated applications generate data – and how often the generated data is used for advertising fraud or other privacy breaches", he said. -he declares.

A review of Privacy International's privacy policies revealed that many of the people identified in this research were confusing or inadequate, and raised questions about when they share data with government authorities and who is not aware of it. other third parties.

"Beyond the issues of legal compliance, companies must stop using people's data," said Frederike Kaltheuner, head of Privacy International's data program. "What happens to your data is important because it can be used against you or for purposes with which you basically disagree. For the moment, you often have to [be] an expert to understand what happens to your data – with whom they are shared, sold and by whom they are exploited. It's a huge problem.

A family of apps guilty of advertising fraud

The Selfie Camera app has been installed more than 50 million times from the Google Play store and has earned a rating of 4.5 stars after tens of thousands of comments. In 2017, Google ranked it among the most popular new apps in the UK. These statistics made it appear as a safe bet for users, but three different researchers encountered problems with the application that made the download risky.

More alarmingly, Check Point found that the application contained code that allowed it to fraudulently click on ads from the application without the user's knowledge. The company's researchers documented fake clicks with ads from AdMob and MoPub, the mobile ad networks run by Google and Twitter, respectively. (MoPub and Twitter have not responded to a request for comment.)

Fraudulent clicks occur even when the app is not open, which can dump the battery of a phone and consume data, according to Aviran Hazum, head of the team's team. 39, analysis and response from Check Point.

His team documented the application "checking if [a] the user has not yet clicked on an ad [and then] clicking at random intervals "on the ads to generate fraudulent income.

"This is not something you can say that is in the gray zone – it's an obvious fraudulent activity," he told BuzzFeed News.

Selfie Camera is one of six applications belonging to DU Group that Check Point has found engaged in fake clicks. Other applications included Omni Cleaner, RAM Master, Smart Cooler, Total Cleaner and AIO Flashlight. They had been installed more than 40 million times from the Google Play store before being deleted.

Google has stated that this form of "click fraud" is rare and contrary to its rules, which is why it blacklisted the six applications of its advertising products. The company highlighted a recent blog article on the measures taken in 2018 against advertisements and malicious actors.

In addition to committing ad fraud, the apps also concealed their connection to the DU group to users. In the Google Play Store, all of the apps above (except for AIO Flashlight) list their developer in the "Pic Tools Group (Photo Editor and Photo Grid & Collage)" category. There is no reference to DU Group, or Baidu, in the shop's application descriptions. .

"It provides a layer of darkness for the user," said Hazum.

Google's developer policy does not allow "developer applications or accounts that mimic a person or organization, who conceal or conceal their property or primary purpose … or who conceal their country of origin." originate and direct the content to users in another country ".

Of all the above applications, Selfie Camera has caused the most concern among researchers. In addition to the false clicks documented by Check Point, Method Media Intelligence has identified in the application a code that could allow fraud and application attribution. Praneet Sharma, of MMI, said, "There is a clear schema for using certain packages for the attribution of gaming facilities and call announcements," and warned of the "considerable and dangerous number of permissions" in this application and in other applications that he has examined. (Sharma has not seen the application commit an attribution fraud and fraud.)

Attribution and fraud fraud, previously reported by BuzzFeed News to have been committed by Cheetah Mobile and Kika Tech, is used to falsely claim credit for app facilities. Developers often pay a "premium" to partners who help set up new installations for their products. In this case, the DU Group selfie application contained a code allowing it to detect the download of a new application on its phone and could be used to claim any premium on an offer.

Beyond the advertising fraud business, the app is also provided with unrelated – and undisclosed – features documented in user complaints about Play Store reviews and an analysis by Eset, a security company.

"Completely fake advertising … there are a lot of performance improvements" hidden for my phone that just spoil it more. I'll point it out as it should in the description, "said a recent user of Duncan Mugume, a Ugandan user, who told BuzzFeed News that he had downloaded the app after seeing an online ad .

He said in a Facebook message that after installing the application, it "behaved in a completely different way", as expected, including launching "scans" of his phone while that it was not used.

Lukas Stefanko, a malware researcher at Eset, has reviewed the application for BuzzFeed News and discovered that it contains a wide range of undisclosed features to the user in the Play Store, including a hidden battery monitor, a processor cooler and the ability to view external websites. , among others.

Stefanko said that this extra feature adds vulnerabilities because the application could be used to load malicious links. (He has not witnessed such activity.)

One amazing behavior of many of DU Group's unbranded applications is that their privacy policies have been hosted on Tumblr blogs with strange names. Selfie Camera hosts its policy on https://dreamilyswimmingwizard.tumblr.com while other apps have policies on https://yesexactlyinnerbouquetstuff.tumblr.com/ and https://superiorzzr.tumblr.com.

These rules do not reveal that the user's data is collected by DU Global, which adds another level of obfuscation. Kaltheuner, of Privacy International, told BuzzFeed News that policies are vague about how third parties, including potentially the Chinese government or other authorities, can access the data collected. She also stated that Selfie Camera's policy incorrectly asserted that she was not collecting personal data. Under the GDPR, European data law, a device identifier is considered a personal data and Selfie Camera collects from users.

The Chat Meet application is an explicit application regarding user data sent to China. Like others, it does not appear anywhere on the DU Group website. But in its privacy policy, it says that "this could require us to transfer your personal data to countries outside the European Economic Area … including to countries such as the People's Republic of China or Singapore . " (The researchers have not identified any advertising fraud taking place in Meet.)

DU Group has not responded to several requests for comments.

Flashlight applications taking permissions, engaging in advertising fraud

Almost all Android phones come with a built-in flashlight, making these applications largely useless. Still, many third-party lamps have millions of installations and have already been used as a Trojan to broadcast malicious programs or hit fraudulent ads by loading advertisements in the background, unbeknownst to the public. user. The BuzzFeed News survey has identified several applications using a flashlight that required a suspicious number of user permissions and / or were involved in an advertising fraud.

"[Flashlight app developers] took advantage of a window of opportunity when iPhones and Android devices did not have flashlight functionality; the real humans have therefore downloaded flashlight applications that required foolish permissions and which noticed little since they had just given all the permissions during the installation, "Augustine Fou researcher in advertising fraud, has told BuzzFeed News.

As noted previously, the DU Group's AIO flashlight was part of the group of apps that fraudulently clicked on ads. It also required 31 authorizations, of which seven are in the dangerous group. Emoji Flashlight, from the Chinese company APUS Apps, has more than 5 million installations and got 30 authorizations, seven of which are part of the dangerous group – far more than what is needed to operate. How many permissions does a flashlight app actually need? This app in the Play Store only took two permissions and did the job.

A comment request sent to the email address listed on the Play Store page of Emoji Flashlight has not received a response. The emails sent to APUS Apps also remained unanswered.

A TV remote that says that she could use your phone's microphone to record what you're watching

While the most invasive applications identified in the survey belonged to Chinese companies, a US-made application stood out for its in-depth data collection policy and its large number of permissions.

The Peel Technologies Samsung TV Remote Control application has obtained 58 permissions, of which 23 belong to the "dangerous" category defined by Android. The application is part of a family of remote Peel TV applications that have similar features and permissions. They are all covered by a unique privacy policy where the app collects detailed information about the "content you consume (validated by the recognition of the audio content)". This suggests that the application accesses the microphone to record audio while you use it. It also collects information about your location, your IP address, your device, and your behavior when you use the application.

In an e-mail response, Peel stated that its applications do not use audio content recognition, but did not answer a follow-up question about why this feature is cited in its policy confidentiality. He also indicated that he only shared "non-personally identifiable location data for a fraction of our users" with third parties.

Although it may not be a household name, the company is a global player. He claimed a registered user base of more than 130 million people and raised more than $ 86 million in venture capital funds. (Its latest round of financing took place in 2014 and was led by China's Alibaba Group's e-commerce and technology conglomerate.)

One of the reasons it has attracted so many users over its history is the fact that in 2012, Peel signed an agreement to pre-install its apps on some Samsung phones. (It was the same with the HTC phone maker.)

Patrick Flynn, a management consultant in Brisbane, Australia, told BuzzFeed News that his Samsung Galaxy, purchased around 2015, came with a pre-installed Peel remote app. He recently became frustrated after the application resumed his screen with commercials. The same thing happened to his mother-in-law, who also owns a Samsung Galaxy.

This behavior was documented earlier this year by mobile security company Wandera, who called the Peel remote for "misuse of permissions and aggressive advertising for its users." Peel initially stated that its apps "are not advertising at the moment." BuzzFeed News discovered that at least four of its apps offered an inventory to advertisers so that they could buy on multiple ad networks. The company then stated that it was conducting "minor experiments aimed at finding the right balance between interstitials and [ads] and the roll of the user. "

Flynn was so frustrated with the ads that he tried to remove the phone's app. But he continued to reappear.

"When he came back, covering our lock screens again, I was very frustrated," he said. Flynn had to search online to find out how to disable the application and its many permissions.

"Since then, I've revoked all permissions and disabled automatic updates," he said. "All this experience has me completely rejected by Samsung. It's still there and it's getting on my nerves.

"But when it made life harder for an older woman who was really struggling with technology, I was angry," he said. "I had more ease in removing viruses."

He posted a notice on his difficulties at the Play store earlier this year to warn other users.

Peel told BuzzFeed News that its apps are no longer preinstalled on Samsung or HTC phones. Samsung has not responded to a request for comment, although the company continues to display an online help page dedicated to the explanation of disabling the application to distance Peel TV.

An application for children that sends personal data in the clear

Finally, a children's application was highlighted among the applications that took unnecessary permissions. The WaWaYaYa app is a reading application for kids that offers content in Chinese. It also required 32 authorizations, seven of which come from the dangerous group. More alarmingly, an analysis by Stefanko d'Eset revealed that the application was returning user information such as e-mail, username, real name, and device information to servers in China without encryption or encryption. other protective measure.

The application is only available in Chinese and has only been installed 1,000 times from the Play Store. The developer of the application has not responded to a request for comment. ●

How we found the apps and analyzed them

In February, BuzzFeed News collected information from the US Google Play Store on the top 600 free, paid, and cost-effective Android apps in four categories: bundle, games, apps for kids, and tools. Some applications have appeared in several lists (ie, the games that generate the most revenue and the overall gains); In total, BuzzFeed News has identified 4,880 applications.

The data that can be retrieved from the Play Store includes the permissions of each application. BuzzFeed News has crossed these permissions with the official documentation of Android, which assigns some permissions a "level of protection" "dangerous". These permissions are usually those that provide access to sensitive information (text messages, body sensors, location, etc.). or those who have the ability to exert effects outside the application (sending text messages, changing contacts, creating voice messages, etc.).

BuzzFeed News manually identified applications requiring a high number of permissions, including those considered "dangerous", and began searching for those that required more permissions than it felt (such as flashlight applications). Applications requiring a technical review were provided to Check Point, Media Intelligence Method and Eset for further analysis.