Eight popular apps from Chinese firms with links to Cheetah Mobile have reportedly been committing ad fraud, draining users’ data pools and batteries while stealing money from advertisers. The apps in question have been using two methods, termed click flooding and click injection, to both farm illegitimate ad clicks, and claim credit for ad interactions, app installs, and other potentially lucrative ad-related activity that actually had nothing to do with them. Analysts checking into the apps in question are saying that the code that’s doing all of this is integrated directly into the core apps, and uses proprietary code linked to Cheetah Mobile and affiliated company Kika. The apps found to be doing this by app research firm Kochava are extremely popular, and include the likes of Kika Keyboard and CM Launcher 3D, both boasting over 200 million downloads. The most popular app involved is Clean Master, with over 1 billion confirmed downloads in the Play Store. As of this writing, nothing of this sort has been found in other apps from or involved with Cheetah Mobile, and none of the apps in the report have been removed from the Play Store.
Background: Cheetah Mobile is one of the largest mobile app producers in China, with a massive international following. Its most popular app, Speed Booster, is not included in this report. Bill Hu, the CEO of Kika, said that any ad fraud activity found in its apps had taken place without the company’s knowledge, despite the fact that the reported findings indicated that the functionality was baked into the core activity loop of the app. The same can be said of Cheetah Mobile’s apps, according to the report, but the company’s official stance on the matter is that third-party software development kits that were used to integrate ad calls and other functionality are the real culprit. Both companies are reportedly investigating this matter.
Impact: Ad fraud, click farming, and other methods of making an illegitimate buck on the backs of ad publishers are all fairly common in the app development world, but this case is one of the first where a well-known name was found to be doing it internationally, and in a way that brought legitimate harm to both users and advertisers. While this probably won’t snowball into the kind of scandal that shocks the entire Android sphere, it’s not a big logical leap to think that Google will be stepping in to take some action, do some investigating of its own, or at least issue a statement or make a policy change of some sort. It is worth noting that the type of ad fraud being committed here has the potential to present a massive security hole in two ways; it could potentially be construed as sending users’ data to ad servers without their express consent, a practice that used to be extremely common but has come under serious fire recently, and the fact that both of these companies are denying putting in the relevant code could mean that there are other bits of compromising code in their apps.