Many Android apps and games don’t offer paid alternatives but rely on ads for revenue. It’s standard practice though ads are pretty annoying and have been getting more invasive over time. After all, whether you like them or not, ads are an integral part of our digital world. But it appears some ads are crossing the boundaries they are supposed to live within. Certain ads, which when interacted with, are installing third-party apps without the user’s consent, many users have reported.

An Android developer recently took to Reddit to report that users are leaving negative reviews for their game on the Google Play Store (via). There’s a pattern in those negative reviews. Everyone is complaining that the said game installed an unknown app on their device, without their permission. They didn’t click on any install button, neither they received any notification from the Play Store for a new download.

The third-party app was installed when users interacted with an ad that popped up within the said game app. However, the users didn’t tap on any download/OK button, or anything of that sort. Instead, they had closed the ad but the app was forcibly installed on their device. Clear enough, the malware is bypassing Google Play.

Digging deeper, the said developer unearthed some interesting facts. A Texas-based advertising company called Digital Turbine is behind this technology (of installing apps without permission). You can see that name in the fine print at the bottom of the attached screenshots above. The company is using its DSP (demand-side platform) and a system app called DT Ignite to bypass Google Play and install apps through its servers. But it is not a security flaw! How? Let us explain.

DT Engine has been around for years and acts as a backdoor

DT Engine is not a new system app. It has been around for years. It comes pre-installed on many Android smartphones. Carriers, and even manufacturers, have been using this system app to sneakily install bloatware on devices after they have been sold. However, it is now providing a backdoor to unscrupulous advertisers who are using this technology to install malware on people’s phones.

Digital Turbine owns a patent for this technology. The company even claims it provides the only DSP for Android and iOS with “one-click install ad units”. However, it says ads are not supposed to install apps when the user has closed or dismissed them. Moreover, the apps it provides are registered in Google Play and are verified before and after installation. The company also promises to deliver the packages over a secure connection.

But exactly the opposite is happening here and it’s concerning, to say the least. And when you consider the apps that it is installing, things look much worse. An app called Weather Home, which is installing itself through this backdoor, reportedly replaces launchers, runs intrusive ads, and consumes an enormous amount of power.

There’s no shortage of scummy ads plaguing Android apps. But this one goes the farthest by installing unwanted apps even when you have dismissed the ad. However, the real problem is Android OEMs and carriers are preloading such abusive ad frameworks on their devices. They did so for their selfish benefits, which are already an overreach, but users are now having to suffer worse consequences.

Digital Turbine is reportedly preparing an official statement regarding this situation. But no matter what they say, no app should ever be able to install itself on a device without user consent.