According to app analytics firm Kochava, 7 Android apps developed by Cheetah Mobile and 1 from Kika Tech with a total 2 billion downloads on Google Play Store have been accused of falsely claiming the credits for driving the installation of new apps in order to claim a fee or bounty.
Many mobile application developers generate revenue by promoting and recommending the installation of other apps inside their apps for a fee or a bounty that typically ranges from $0.50 to $3.00.
To know which advertisement recommended the app and should get the credit, the newly installed app does a "lookback" immediately after it is opened for the first time to see from where the last click was originated and attribute the installation accordingly.
However, Kochava found that Cheetah Mobile and Kika Tech apps are misusing user permissions to track when users download new apps and are apparently exploiting this data to hijack app-install bounties for even apps installed from other referrals, according to Buzzfeed News.
"This is theft — no other way to say it," Grant Simmons, the head of client analytics for Kochava, told the publication. "These are real companies doing it — at scale — not some random person in their basement."Here's the list of seven Cheetah Mobile apps and one Kika app, which received an investment from Cheetah Mobile in 2016, caught participating in the fraudulent ad scheme:
- Clean Master (with 1 billion users)
- Security Master (with 540 million users)
- CM Launcher 3D (with 225 million users)
- Battery Doctor (with 200 million users)
- Cheetah Keyboard (with 105 million users)
- CM Locker (with 105 million users)
- CM File Manager (with 65 million users)
- Kika Keyboard (owned by Kika Tech with 205 million users)
Discover the Hidden Dangers of Third-Party SaaS Apps
Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.RESERVE YOUR SEAT
These apps inappropriately claim credits for having caused the app downloads even when they played no role in the installations. The bounties, in this case, range in the millions of dollars.
You can have a look on the typical ad referral process (left picture) versus a hijacked ad referral process (right picture).
However, Cheetah Mobile blamed third-party SDKs (software development kits) or ad networks for the click injection, but when Kochava pointed out the SDK involved in the click fraud activity is actually owned and developed by Cheetah Mobile itself, and not by third parties, Cheetah denied that its SDKs were involved in ad fraud.
When contacted, Google told the publication that the company is still investigating Cheetah Mobile and Kika Tech apps for any fraudulent activity reported by the app analytic firm.