More ad fraud apps found hiding on Google Play Store

Fraudulent Android app developers have been discovered trying to manipulate Google’s Play Store security by removing suspicious code before adding it back in to see what trips detection systems.
The behaviour was noticed by security company White Ops in two previously fraudulent apps, which it says raises an interesting question: if a fraudulent app developer deactivates the part of an app that makes its behaviour fraudulent, is that app still a fraud app?
The apps were among a small haul of 38 beauty-themed apps the company detected from the same developer which were reported to Google for bombarding users with unwanted ads.
As well as serving out of context ads at every opportunity, the apps also sent users to websites and made it difficult to de-install the apps using techniques such as hiding icons from the home screen and apps folder.
But how did the apps get there in the first place?
This has become a bit of an issue for Google’s security team in recent years. A security vendor or researcher spots multiple apps on the Play Store doing something bad, tells Google, which eventually removes the apps after confirming they’re malevolent.
Of course, uploaded apps are monitored by Google’s automated security checks before being accepted but this system can be bypassed, as the steady but unchecked stream of bad app discoveries confirm.
It’s not as hard to beat detection systems as it should be. Malicious developers have a range of techniques such as binary packing and even Arabic Unicode to hide malicious code in ways that are hard to spot without employing humans to look at each app and update.
Sometimes, apps contain no fraudulent code at all and simply exploit loopholes in Google’s licensing to do sometimes outrageous things such as charge users hundreds of dollars to continue using them.
But the bigger failure here isn’t that apps are able to sneak on to the Play Store but how long they remain there.
In this incident, the average time it took Google to remove apps was 17 days, with at least one left on the Play Store for three months. That doesn’t sound long until you hear that:

Even with an average of less than three weeks of time on the Play Store, the apps found an audience: the average number of installs for the apps we analyzed was 565,833.

Then the developer unexpectedly updated two apps containing malicious code so that most of the problem behaviour was deactivated.
That’s deactivated, not removed – the change was simply made using a command and control (C2) function, leaving the problem code intact but dormant inside the apps.
According to White Ops, the two tweaked apps are possibly an attempt to work out which criteria Google’s systems use to spot that apps are fraudulent.
In that scenario, the apps might be updated several times, each one activating a different part of the malicious behaviour, until Google detects its malicious intent.
Google took down the apps discovered by White Ops in 2019 but it’s hard not to be left with the impression that Google’s ongoing battle to banish bad apps has a struggle ahead of it.