Tens of thousands of smartphone apps are running ads from rogue advertising networks that change smartphone settings and take contact information without permission, according to a new study released Monday
Aggressive ad networks can disguise ads as text message notifications or app icons, and sometimes change browser settings and bookmarks. Often, the ads will upload your contacts list to the ad network’s servers — information the ad network can then sell to marketers
Sounds scary? It’s not a giant problem yet, but it’s a growing one. As many as 5% of free mobile apps use an “aggressive” ad network to make money, according to Lookout, a San Francisco-based mobile security company.
With millions of mobile apps in stores, that small sliver adds up to a big number. The study found that 19,200 of the 384,000 apps it tested used malicious ad networks. Those apps have been downloaded a whopping 80 million times.
PhoneLiving was one of the most prevalent app developers to use these kinds of ad networks, according to Lookout — their dozens of talking animal apps have been downloaded several million times.
PhoneLiving says it has mended its ways. The company acknowledged using invasive techniques to make money from its apps, but says it dropped those methods at the start of this month because of bad reviews and declining downloads.
“We have removed all of the notification/icon ads from all of our talking apps,” a company spokesman said. “We have made this switch to benefit our users despite the lower profits involved in other types of ads.”
The most popular type of apps that use aggressive ad networks are “personalization” apps, which include wallpapers. Comic, arcade and entertainment apps are also among the most likely to have rogue ad networks running behind the scenes.
Like aggressive pop-ups on PCs, the bad software isn’t easy to shed. Though the damage can typically be reversed by deleting the app, it can be hard to pinpoint which app is causing the problems.
“Sometimes you download 10 apps at a time, so you don’t know which is responsible,” said Kevin Mahaffey, Lookout’s CTO. “It’s not unlike adware in the early PC days.”
When developers create free mobile apps, they usually make money through ads displayed within the app. That free version of Angry Birds didn’t cost you anything because of the pop-up ad that appears right as you’re catapulting the red bird at its target.
The vast majority of ads run on well-known ad networks like Jumptap, Apple’s (AAPL, Fortune 500) iAd and Google’s (GOOG, Fortune 500) AdMob. They collect some information about their users, but they don’t go to the extremes of uploading contact lists and changing settings.
The appeal of the ad networks that Lookout calls “aggressive” is that they generate more revenue for app developers.
Android ad network Airpush, for example, places ads in users’ notification bars and home pages . That generates more clicks — and more money for developers — since even inactive users can view the ads.
Lookout has criticized Airpush in the past for being overly aggressive with its marketing techniques. Airpush remains the second-biggest ad network for Android devices.
Airpush gives customers the option of opting out of its push notification ads, and users are notified the first time they launch an Airpush-equipped app about the app’s advertising methods. All of Airpush’s ads include the name of the app transmitting the ad, the company says.
An Airpush representative says the company plans to move within the next two weeks to “an affirmative opt-in” system for its push notification ads.
App makers don’t usually disclose what ad network they’re using, which makes it hard to avoid the known offenders. The best defense is to read reviews and avoid downloading apps that have attracted a trail of complaints.
Lookout’s Mahaffey says bad actors are more prevalent on Android phones than iPhones, because the Google Play app store has fewer restrictions and gatekeepers than Apple’s iTunes app store.
But the iPhone isn’t immune: Other ad networks Lookout considers aggressive include Moolah Media and Leadbolt, which publish apps for both Android and iOS.