Ever wonder why so many Android apps ask users if they'd like to download obscure add ons like "smart charging"? It isn't to improve your user experience.

A recent study (PDF) by an advertising firm called eZanga showed that over 1,300 Android apps contained specific malware that makes people's phones display ads and videos without their knowledge. These malware additions usually piggyback on free apps through add-ons like "smart charging" and "cool background". Even more troubling is that many of these malware programs are piggybacked onto things like file explorer apps, which allow you to delete apps like the ones presumably with malware (even my old favorite, ES File Explorer).

It should be noted that the eZanga's study heavily promotes their new program Anura, a fraudulence protection software for ads. Anura's purpose is to determine which of the click-throughs for advertisements are real and which are done by bots. Although the study does have obvious marketing implications for both Anura and eZanga, the findings are still quite unsettling.


Malware that generates fraudulent ad clicks usually hides in wallpaper apps.


Malware Bots that Utilize Hardware Specs

Before we delve into how these specific malware bots work, we will need to do a quick and dirty review of how automated advertising programs work. Why do people develop these malware bots in the first place?

Online advertising has a hierarchy of what is perceived as “more valuable”. For example, somebody clicking a link has some value, but somebody staying on a page for a long time or watching a video without skipping it is valued higher because of a perceived interest from the user. If somebody watches a five-minute informative video on how to use a product, it's usually a safe assumption that they have a high degree of interest in buying.

But what happens when somebody pays money for a video advertisement that nobody actually watches? Malware bots create just that situation, creating false "views" to dupe advertisers.


An example of a PHP document for the Malware programs. The keyword groups and click-through rate (CTR) can be adjusted to avoid suspicion. A screenshot from Anura's study (PDF)


These malware bots are surprisingly sophisticated. They are designed to mimic human behavior by means of things like proper touch screen orientation. In this case, they actually pull the screen size from a phone or tablet’s hardware specs and use that to simulate locations on the touchscreen where users would normally click. These bots usually "watch" videos when the device's owner is either sleeping or charging the device. These bots also tend to wait for a device to be connected to Wi-Fi so as to not draw suspicion from users who may notice discrepancies in their data usage statements from cell service providers.

On top of the obvious ethical concerns, these bots waste bandwidth, electricity, and an estimated $6.5 billion in 2017. You can find more specifics on how these bots work in eZanga's study (PDF).