Apps are using scummy ads to bypass Google Play and install without your consent

Ads on Android devices are already annoying enough. Playing the “free” version of certain games gets you a full-screen ad every time you change levels or die. But so far, scummy ads have mostly been contained to their own, scummy sandbox where they can’t get out unless you tap them. Today, though, they’re crossing a new line, as a growing number of reports reveals efforts to install apps without user intervetion nor Play Store notifcation.

Basically, as detailed in a Reddit thread on /r/AndroidDev, there are a handful of ads making the rounds that will install apps on your phone, bypassing Google Play, and all without a user’s consent. The ad looks like a regular app listing from something like Google Play, and trying to close one will apparently cause the app to download and install, without additional user input required.

Further digging reveals this is being accomplished with Digital Turbine through its DSP (called Appreciate) and using a system app called DT Ignite, that essentially circumvents Play Store interaction and the manual APK-install dialog — the app promoted in the ad is essentially downloaded and installed straight from Digital Turbine’s servers into your phone through the ad.

So this software must be taking advantage of some kind of security flaw, right? Not so much. It turns out DT Ignite comes pre-installed on some devices by either carriers or manufacturers themselves. So it pretty much acts as a backdoor of sorts. Yikes.

If you remember hearing “DT Ignite” somewhere, especially in the context of bloatware and scummy backdoors, it’s because you did. DT Ignite has been around for years — it’s been making the rounds since at least 2014. Back then, it would allow carriers and phone manufacturers to silently install bloatware and apps on people’s phones. It was famously pre-installed by carriers like T-Mobile and Verizon on devices sold by them, together with the rest of the bloatware they usually install.

Until this point, though, it hadn’t actually been leveraged for ads at all, let alone for installing apps directly through those ads. As we said before, this service is provided by a DSP called Appreciate, which was purchased earlier this year by Digital Turbine. The company also owns a patent for this exact functionality, dated 2019. The DT Ignite app was used to install apps silently on carrier-branded phones, which was already an overreach, but here we’re talking about what’s essentially the same kind of malware that’s often promoted in mobile ads. This time, though, it can auto-install itself on your phone. Digital Turbine’s website even goes so far as to promote “one-click to install ad units” through its DSP among its services.

A comment in that same Reddit thread also provides some feedback from Digital Turbine itself about the issue. Supposedly, the ad is not supposed to install when you’re trying to close it or dismiss it. The company claims that DT Ignite’s packages are double-checked both before and after installation, listed in Google Play (there’s a considerable amount of crap listed in Google Play, so this is not particularly a high bar), and supplied over a secure connection.

This doesn’t really make any better the fact that ads can install stuff in your phone at all, and especially not when seeing the kinds of apps they’re installing. One of them, an app called “Weather Home”, apparently tries to replace people’s launchers, runs ads, and acts as a battery hog. It’s also, according to some reviews, kinda hard to uninstall. Considering that we’re talking about an app that’s installing itself through what’s essentially a backdoor, this could easily be considered malware.

Digital Turbine is reportedly preparing to issue a “more official” statement on this controversy, but we’re not sure how it will be able to make any of this look less scummy.