Researcher Found Popular VPN Apps On Android Doing Ad Fraud

Android is most popular mobile operating system, most widely-used by many manufacturers to power their phones.

But that doesn't mean it's the safest in the market. Google had frequent troubles policing Android. And despite numerous attempts to improve the security and app scrutiny, Google Play Store still has malware problems that won't go away.

A New Zealand-based independent security researcher Andy Michael found four popular Android apps that are capable of not just showing ads while running in the background, but also place ads outside the apps, including the home screen.

Michael discovered this when he browsing for media files on his Samsung Galaxy S5 device and saw popup ads showing up in places there weren't supposed to. Using Popup Ad Detector app, he discovered the four VPNs are the culprits:

Hotspot VPN, Free VPN Master, Secure VPN, and Security Master.

These four have a cumulative downloads of over 500 million, meaning that they are popular in the market and among their users.

As explained in detail on his website post, here are the summary.

Hotspot VPN

Hotspot VPN

Besides having advertisement APIs from both Google and Facebook, Hotspot VPN that is developed by HotspotVPN 2019, contained obfuscated code capable of showing full-screen ads at any given point of time.

The ads can show whenever they want, irrespective of whether the VPN app was in use running in the foreground or otherwise. This results in significant battery and CPU usage.

Free VPN Master

Free VPN Master

Free VPN Master is developed by Freemaster2019. And just like Hotspot VPN, it share the same code for serving Google ads. The two apps also share APK files and code structure. The only significant difference is the way the two apps hash their files.

"We think that both applications are the same with slight modifications in the name of packages in order to get a different hash for both APKs due to the fact that once they were reversed they had the same code and were obfuscated with the same tool. In contrast, the names of providers on Google Play are different, although it does not mean by different people," the researcher said.

Secure VPN

Secure VPN

Developed by SEC VPN, the Secure VPN app is considered the worst in the finding.

Not only that it served ads even when users are using other apps, Secure VPN can also render an overlay on top of the home screen, hiding app icons.

The app was also found to have references to code that recorded activities, including ads that were displayed, clicked and dismissed by the user. This suggests that the developers were using tracking methods to monitor and display ads based on users' activities.

Security Master

Security Master

The fourth, is Security Master from Cheetah Mobile (AppLock & AntiVirus).

This developer of the app has been previously accused for committing ad fraud using click injection technique. The developer has also been banned from publishing apps from the Play Store. But revising a little and submitting back the apps, Google somehow allowed Cheetah Mobile's apps to regain access to its Play Store.

If compared to the three other VPNs, Security Master took a unique approach in its fraudulent scheme.

For example, instead of constantly showing ads, the VPN app leverages its enormous user base and intrudes less often and randomly. It uses a more sophisticated approach by popping up the app instead and showing the ads immediately after users try to get back to the home screen.

According to Michael:

"Developers use this [method] because every impression/click gives them revenue. Due to high popularity of VPN apps, if making a quick buck is the goal, serving outside ads in VPN apps would be a logical choice."

It should be noted that of the four apps are meant for 'improving security', suggesting that the developers are increasingly banking on users' trust in security-related Android apps to commit ad fraud. What's more, the VPN apps originate from either Hong Kong or China, where citizens typically rely on VPNs to bypass China's Great Firewall.

This is not the first time the Google has struggled to curb the spread of harmful apps on its Play Store.

Google has a strict policy with regards to adware and disruptive ads in general.

Saying that: “We don’t allow apps that contain deceptive or disruptive ads. Ads must only be displayed within the app serving them. We consider ads served in your app as part of your app. The ads shown in your app must be compliant with all our policies.”

But still, developers of many kinds have managed to slip through the scrutiny, and managed to put up their malicious apps to the Play Store, exposing threats and discomfort to billions of potential users.

For example, back in August 2019, Lukas Stefanko, an ESET security researcher, unveiled that Google Play Store had 205 malicious apps with over 32 million installs, in July alone.

Although Google's security measures have improved and resulted in the removal of hundreds of thousands of harmful apps, the security procedures aren't entirely bulletproof.