Services & Software

These Android apps were clicking on ads behind your back

The apps had been installed more than 1.5 million times and were on the Play Store for almost a year, researchers say.

Two Android apps downloaded more than 1.5 million times were displaying ads off-screen and clicking on them multiple times. 
Juan Garzón/CNET

A notepad app and a fitness app downloaded on more than a million devices have been secretly clicking on ads without people knowing for nearly a year, security researchers found. 

The apps, developed by a company called Idea Master, offered tools to help people lose weight and organize their lives, but were actually popping up ads off-screen and clicking on them multiple times per day, researchers from cybersecurity company Symantec said Thursday. 

The apps' developer didn't immediately respond to a request for comment. Idea Master has since been banned from the Play Store, Google's platform for Android apps, and both apps have been removed.

The apps were "Idea Note: OCR Text Scanner, GTD, Color Notes" and "Beauty Fitness: daily workout, best HIIT coach." More than 1.5 million people downloaded both apps, which were on Google's Play Store as recently as Aug. 23. 


The notes app had been downloaded more than a million times and was active as recently as Aug. 23.

Alfred Ng / CNET

Android faces an uphill battle keeping malware and adware off its Play Store -- especially compared with Apple's App Store for iOS -- because of its open ecosystem. You might be able to tinker more on an Android device, but that freedom also extends to potential hackers. Android's security program has fixed issues with more than 1 million apps in the Play Store in the five years it's been active, but new attackers continue to pop up with different ways of hiding on people's devices. 

The ad fraud taking place on Idea Master's apps went unnoticed for so long because its code was hidden in Android packers typically used for protecting intellectual property, the researchers said. 


The fitness app had been downloaded more than 500,000 times before it was removed from the Play Store.

Alfred Ng / CNET

Once installed, these apps show the ads outside the device's display view and click on them automatically, committing ad fraud and draining resources from the phone. These ads take up battery life and mobile data usage on Android devices without the owner being aware of it. 

Even before researchers discovered the ad fraud, some people who downloaded the apps noticed and voiced their concerns in the apps' reviews. A review on the notes app from Aug. 5 said that the app was useful, but it had too many ads and that it was slowing down the device. 

Another review on the notes app called the ads disruptive and irritating. And those were just the ads that the users saw. 

Now playing: Watch this: Those bootleg streaming devices have malware preinstalled