More than 5,000 iOS, Android and Windows Phone apps are currently serving invisible advertisements that not only defraud advertisers, but also drain the data and battery life of unsuspecting smartphone users all over the world.
According to a new report by online advertising fraud detection firm Forensiq, the advertisements are loaded in invisible iFrames in the app that are not visible to the user, and this goes on constantly in the background of the phone, even when the app is not open.
Apart from draining the phone's battery, the app uses lots of data to download the ads and make it look like someone is looking at the ads, thus tricking advertisers into spending $895m (£578m, €818m) a year on ads no one is seeing.
The problem is currently affecting more than 20 million devices spread across the US, Europe and Asia and uses up an average of 2GB of mobile data a day, so if you or your child seems to be running up unusually high mobile data bills but you're not doing much on your phone, this could be why.
Gaming and lifestyle apps most likely to be hijacked
Using both an emulator and manually sitting with devices clicking on apps in app stores, data scientists from Forensiq downloaded a total of 35,243 apps to see whether the apps presented any malicious behaviours.
They discovered that 5,161 gaming and lifestyle apps from Apple's App Store, Google Play and Windows Phone asked for suspicious-sounding permissions when they were first installed, such as seeking the ability to edit and delete data on the phone's SD card, or wanting to use location services while running in the background.
The data scientists then decided to analyse the 5,161 suspicious-sounding apps in detail over a period of 30 days and then measured how the apps behaved 24 hours a day for a further period of 10 days.
Forensiq discovered that some of the apps looked as if they had been hijacked by cybercriminals, but other apps were deliberately built in a malicious way to serve as many invisible ads as possible.
These apps included silly games like Vampire Doctor, Plucking Eyebrows and Celebrity by an app developer called Girls Games Only and sold on the Google Play app store.
Malicious apps serving 20 ads a minute
"Some of these apps were running at a rate of 20 ads a minute, which is crazy," Erol Soyer, international managing director of Forensiq, told IBTimes UK.
"A number of experts have stood up and said that mobile fraud isn't a problem, but that's totally inaccurate. It takes a long time for people to know that fraud happens in the first place.
"Many people in the industry are making general assumptions about the way an app is approved on an app store. They're presuming that that process can prevent mobile fraud, but it's not true."
Bloomberg contacted Google about the three apps named by Forensiq, and although Google didn't respond to its request, the apps were removed from Google Play by 4pm EDT (9pm BST) on 23 July.
13% of mobile advertising spend goes to fraud
Soyer says that Forensiq has received "an avalanche" in enquiries from app developers, security researchers, marketing professors and even concerned parents that have seen their children's phone bills spike, but Apple, Google and Microsoft have not answered their calls.
"We don't want to publicly reveal the names of all 5,000 aps as some of them might have been hijacked, and the more information you give out to someone who is doing this deliberately, the better they can prevent us from detecting it," said Soyer.
Forensiq predicts that in-app fraud will surpass $1bn a year, which equates to 13% of mobile advertisers' total spend, making it a much bigger issue than previously thought.
"This is not an inconsequential problem. The big players like Apple, Google and Microsoft need to get together and look at this problem as an industry. They've got to find a way to identify the spoofing when apps are submitted to the app store and realise what maliciously designed apps look like."
IBTimes UK has contacted Apple, Google and Microsoft for comment and is waiting for a response.