Researchers said that a tip from a child led them to discover aggressive adware and exorbitant prices lurking in iOS and Android smartphone apps with a combined 2.4 million downloads from the App Store and Google Play.
Posing as apps for entertainment, wallpaper images, or music downloads, some of the titles served intrusive ads even when an app wasn’t active. To prevent users from uninstalling them, the apps hid their icon, making it hard to identify where the ads were coming from. Other apps charged from $2 to $10 and generated revenue of more than $500,000, according to estimates from SensorTower, a smartphone-app intelligence service.
The apps came to light after a girl found a profile on TikTok that was promoting what appeared to be an abusive app and reported it to Be Safe Online, a project in the Czech Republic that educates children about online safety. Acting on the tip, researchers from security firm Avast found 11 apps, for devices running both iOS and Android, that were engaged in similar scams.
Many of the apps were promoted by one of three TikTok users, one of whom had more than 300,000 followers. A user on Instagram was also promoting the apps.
“We thank the young girl who reported the TikTok profile to us,” Avast threat analyst Jakub Vávra, said in a statement. “Her awareness and responsible action is the kind of commitment we should all show to make the cyberworld a safer place.”
The apps, Avast said, made misleading claims concerning app functionalities, served ads outside of the app, or hid the original app icon shortly after the app was installed—all in violation of the app markets’ terms of service. The links promoted on TikTok and Instagram led to either the iOS or Android versions of the apps depending on the device that accessed a given link.
“It is particularly concerning that the apps are being promoted on social media platforms popular among younger kids, who may not recognize some of the red flags surrounding the apps and therefore may fall for them,” Vávra added.
Avast said it privately notified Apple and Google of the apps’ behaviors. Avast also alerted both TikTok and Instagram to the shill accounts doing the promotions.
A Google spokesman said the company has removed the apps, and Web searches appeared to confirm this. Several of the apps for iOS appeared to still be available in the App Store as this post was being prepared. Representatives from Apple and TikTok didn’t immediately have a comment for this post. Representatives with Facebook, which owns Instagram, didn't respond to a request to comment.
Android users by now are well acquainted with the Play Store serving apps that are either outright malicious or that perform unethical actions such as deliver a flood of ads, often with no easy way to curtail the deluge. Abusive apps from the App Store, by contrast, come to light much less often—not that such iOS apps are never encountered.
Last month, researchers discovered more than 1,200 iPhone and iPad apps that were snooping on URL requests that users made within an app. This violates the App Store’s terms of service. Using a software developer kit for serving ads, the apps also forged click notifications to give the false appearance that an ad viewed by the user came from an ad network controlled by the app, even when that wasn’t the case. The behavior allowed the SDK developers to steal revenue that should have gone to other ad networks.
People considering installing an app should spend a few minutes reading ratings, reviewing prices, and checking permissions. In the case of the apps found by Avast, the average rating ranged from 1.3 to 3.0.
“This all is bad don’t buy,” an iOS user wrote in one review. “I accidentally bought it. 8 dollars wasted and it doesn’t work.”
This story originally appeared on Ars Technica.