Eight apps with a total of more than 2 billion downloads in the Google Play store have been exploiting user permissions as part of an ad fraud scheme that could have stolen millions of dollars, according to research from Kochava, an app analytics and attribution company that detected the scheme and shared its findings with BuzzFeed News.
Seven of the apps Kochava found engaging in this behavior are owned by Cheetah Mobile, a Chinese company listed on the New York Stock Exchange that last year was accused of fraudulent business practices by a short-seller investment firm — a charge that Cheetah vigorously denied. The other app is owned by Kika Tech, a Chinese company now headquartered in Silicon Valley that received a significant investment from Cheetah in 2016. The companies claim more than 700 million active users per month for their mobile apps.
The allegations are the latest shock to a vast digital ad tech industry that remains dogged by a multibillion-dollar fraud problem and a mobile ecosystem rife with malicious ads and fraudulent practices. BuzzFeed News reported last month on an ad fraud scheme that tracked user behavior in dozens of Android apps to generate fake traffic and steal advertisers’ money. Google estimated close to $10 million was stolen from it and its partners, and subsequently removed many of the apps from its Play store .
While the most immediate victims are brands who lose ad dollars to bots and other schemes, ad fraud also diverts revenue away from legitimate publishers and developers. In the case of mobile apps, it can cause frustration for users who may see their phone battery drained and data usage spike as a result of illegitimate ad transactions taking place without their knowledge.
This particular scheme exploits the fact that many app developers pay a fee, or bounty, that typically ranges from 50 cents to $3 to partners that help drive new installations of their apps. Kochava found that the Cheetah and Kika apps tracked when users downloaded new apps and used this data to inappropriately claim credit for having caused the download. The practice being executed by Cheetah and Kika is referred to as click flooding and click injection, and ensures these companies are rewarded an app-install bounty even when they played no role in an app’s installation. (See “How It Works” below for a detailed description.)
“This is theft — no other way to say it,” Grant Simmons, the head of client analytics for Kochava, told BuzzFeed News. He said this example is notable because Cheetah Mobile and Kika Tech are large app developers that built these practices into their apps.
“These are real companies doing it — at scale — not some random person in their basement,” he said.
Extracted from : BuzzFeed News