• Four apps in the Google Play Store were discovered to be displaying ads when running in the background.
  • These apps have more than 500 million downloads and all app developers are said to be from China.

Why does it matter?

Four Android apps, HotSpotVPN, Free VPN Master, Secure VPN, and CM Security Applock AntiVirus, were discovered to commit ad fraud by pushing ads when apps were running in the background, or outside the app environment.

  • Pushing such ads helps generate fraudulent revenue, considering the millions of downloads the apps have in total.
  • The ad pop-ups not only invade user privacy but also increase CPU heat and drain phone battery because of the constant HTTP requests.
  • All the app developers are based in China, and two of the apps were observed to have similar code.

Adware activity details

The four Android applications were analyzed by Andy Michael, who first reported the behavior.

  • Hotspot VPN: This application uses the advertisement API from Google to display advertisements at any time. Obfuscated code is used to display advertisements that fill the complete screen when the VPN application is running in the background.
  • Free VPN Master: This was also observed to use the advertisement API from Google and seemed to have code identical to the Hotspot VPN application, except for slight modifications.
  • Secure VPN: The code of this application contains a list of classes that manage the process of showing ads. This includes events, render of the ad, request, and how to display the ad.
  • Security Master: This application pushes ads of services such as Facebook, GitHub, AirBnB, and Google among others.

“This application takes it a step further. Instead of constantly showing the ads the app leverages its enormous user base and intrudes less often and randomly. It uses a more sophisticated approach by popping up the app instead and showing the ads immediately after you try to get back to the home screen,” says Michael about the Security Master application.

Cyware Publisher