Finding randomly installed apps on your phone? Blame it on ads

XDA

By Adam Conway

Published Oct 12, 2021

Apps can be installed without your consent on some smartphones, all thanks to ads. It seems to be thanks to DT Ignite, too.

Ads are pretty annoying, and a lot of games and apps are packed full of advertisements rather than offering a paid alternative. However, users are now reporting that some ads can bypass the Google Play Store to install apps on your smartphone without your consent. This is bad for obvious reasons, and advertisements should never be able to escape their own sandbox to interact with the rest of the smartphone.

First disclosed on the /r/Androiddev subreddit, it turns out these particular ads are being served by Digital Turbine's demand-side platform (DSP). A DSP in this context is a system that allows advertisers to purchase advertising with the help of automation.

On Android, system-level applications are able to access the package manager in order to install apps without asking for user permission. Typically, OEMs and the Google Play Store are the only apps that actually make use of that ability on Android smartphones, however, Digital Turbine's software can also be installed on a system level. It seems that when this particular advertisement for the weather app is shown, it detects whether or not Digital Turbine's software is installed. If it is, then it appears to leverage DT Ignite to circumvents the Play Store. DT Ignite is pre-loaded as a system app on many smartphones by carriers such as AT&T, Verizon, Claro, and Singtel.

Reddit user /u/omniuni helped to explain the issue on the /r/Androiddev post, and Digital Turbine reached out to them to clarify a number of points. Firstly, Digital Turbine apparently said that Ignite should never be able to install an app without user interaction. /u/omniuni was told that their own documents state that clicking an "x" or dismissing a dialogue should not install anything. Secondly, Digital Turbine maintains that applications distributed through Ignite ads are verified both before and after being installed, are registered with Google Play, and are delivered over a secure connection. The company reportedly also told the user that they are working on a more official response.

For what it's worth, applications should never be installed on an Android smartphone without user consent. Never mind ethical concerns, but there have been numerous issues with malicious apps in the past on Android. The problem is that ads frameworks like these are pre-loaded on many Android smartphones, and abuse of the system can happen. Carriers use it to install bloatware, and that was already an overreach in the eyes of many.