Google Removes Apps with Over 20 Million Downloads for Using Excess Mobile Data and Killing Battery

Ad Fraud is when a bot attempts to imitate legitimate web traffic and generate more page views for the website.


Google Play Store is home to millions of applications. The Android app store serves as a platform for developers to offer a variety of apps across different genres. Most of these apps check with Google’s security and privacy policies that have been laid down by the company. However, some applications find loopholes to dodge through the security layers and perform malicious activities. A McAfee report stated that Google Play removed 16 such applications with more than 20 million downloads combined for committing ad fraud. 

The 16 mobile applications performed malicious activities that drained batteries faster and used more data than usual. Google has acted upon the research report. However, the action might have taken more time as these apps have already been downloaded over 20 million times.

The apps provided legitimate functions, including a flashlight, camera, QR reading, and measurement conversions. According to an ARS Technica report, citing McAfee’s research, these apps would download additional code when opened. The downloaded code could cause these apps to perform ad fraud. 

What is an Ad Fraud?

Ad Fraud is when a bot attempts to imitate legitimate web traffic and generate more page views for the website. To the person on the outside, this might come across as genuine traffic. The bot is explicitly used to generate more traffic, compromising the advertiser’s budget as the ads are served to bots and not the actual target user.

The McAfee report stated that infected devices received messages through the Google-owned Firebase Cloud Messaging (FCM) platform that instructed them to open specific web pages in the background. The bot would then select links to artificially inflate the number of clicks ads received. 

“Mainly, it is visiting websites which are delivered by FCM message and browsing them successively in the background while mimicking user’s behaviour. This may cause heavy network traffic and consume power without user awareness during the time it generates profit for the threat actor behind this malware,” McAfee’s SangRyol Ryu said.

The report further revealed that the malicious apps came with a code library named com.liveposting, which acts as an agent and runs hidden adware services. Other apps also came with an additional library called, which focused on the automated clicking functionality.

To ensure that the malicious activity goes unnoticed, these apps waited about an hour after installation before running the libraries.

What Did Google Say?

A Google spokesperson stated that all apps that were reported by McAfee have been removed. “Users are also protected by Google Play Protect, which blocks these apps on Android devices,” a Google spokesperson said. However, the spokesperson did not respond to a follow-up question which asked how these apps managed to get over 20 million downloads if Play Protect blocked the apps on Android phones.