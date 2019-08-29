More than a million Android users may have unknowingly allowed their smartphones to be exploited in a malicious ad-clicking scheme, security researchers warned Thursday.

Symantec engineers May Ying Tee and Martin Zhang said they recently discovered a “cunning” new tactic used to covertly click ads on the devices of Android users who had installed either of two popular apps.

Each of the apps – a notepad app called “Idea Note: OCR Text Scanner, GTD, Color Notes” and a fitness app called “Beauty Fitness: daily workout, best HIIT coach” – silently loads ads on the devices of users and then automatically clicks those ads to generate revenue, according to the engineers.

The tactic is noticeably different from similar schemes because the ads are loaded outside the device’s viewable display and effectively hidden from the user, said the Symantec team.

“Using this tactic allows advertisements, and any other potentially malicious content, to be displayed freely,” they wrote in a blog post. “The app can then initiate an automated ad-clicking process that produces ad revenue.”

“As threat actors generate ghost clicks and ad revenue, impacted devices will suffer from drained batteries, slowed performance and a potential increase in mobile data usage due to frequent visits to advertisement websites,” the engineers warned.

Both apps were released by the same developer, Idea Master, and had been downloaded a combined total of more than 1.5 million times from Google’s Play store before being brought to company’s attention recently and subsequently removed.

Messages requesting comment from Idea Master and Google were not immediately answered.

Google separately announced Thursday that the company will start rewarding researchers who report certain malicious Android apps, meanwhile. Individuals who report apps in which user data is used, sold unexpectedly or repurposed in an illegitimate way without user consent will be eligible to receive a bounty of up to $50,000, Google said.

