[mtgx]

This is why no matter how much Google brags about its machine learning-powered anti-malware protection, it can't rely solely on it to defend Android users, because it's still a cat and mouse game with sophisticated attackers. They need to find a way to patch all devices in a timely manner.

[openasocket]

This isn't really an issue with a vulnerability, AFAICT. The App is basically just automatically clicking ads in the background. I'm not sure there's an easy way to prevent this from happening at the end user level, except by static and dynamic analysis on the part of Google to keep the Play store free of malicious Apps.

[ry_ry]

It'd be obvious on the ads side though - If this was activated across multiple apps simultaneously, their clickthrough rate would have gone through the roof.

Heck, even if it was dripped out slowly, average % clickthrough - even on mobile where ads get fat fingered more often - is a tiny fraction of views. They would have been reporting some pretty crazy numbers.

No way in the world this wasn't easily spotted, when clickfraud is already a well known thing and Google are in the business of tracking things to sell more ads.