Chinese app giant Cheetah Mobile told investors that it is "very seriously" examining the allegations in a BuzzFeed News story that reported the company was exploiting user permissions as part of an ad fraud scheme. Cheetah's stock is down more than 30% since the story was published Monday.
Cheetah also said it temporarily removed two apps mentioned in the story from the Google Play store. Those apps, Battery Doctor and CM Locker, have been downloaded more than 300 million times.
"Earlier today, Cheetah Mobile temporarily removed Battery Doctor and CM Locker from the Google Play Store on our own initiative. CM Locker has been re-launched already, and Battery Doctor will be re-launched very soon," the company said in a statement. (It did not immediately respond when asked by BuzzFeed News why it removed the apps.)
On Monday, BuzzFeed News reported that seven Cheetah Mobile apps with more than 1.5 billion total downloads were using an ad fraud technique called click injection to claim credit and a share of revenue for the installation of other apps. This behavior was detected by , an app analytics and attribution company.
BuzzFeed News reported that seven Cheetah Mobile apps with more than 1.5 billion total downloads were using an ad fraud technique called click injection to claim credit and a share of revenue for the installation of other apps. This behavior was detected by Kochava, an app analytics and attribution company.
“This is theft — no other way to say it,” Grant Simmons, the head of client analytics for Kochava, previously told BuzzFeed News.
Kochava found that Cheetah's apps were exploiting the system that sees developers pay a fee to companies that generate new installations of their apps. Cheetah's apps were claiming a portion of these fees in cases where it played no role in an app's installation, according to Kochava. (Read the original story for a detailed description of click injection.)
"Cheetah Mobile takes the issues raised in the article very seriously," the company said in a press release issued this morning. The company said it was looking into the third-party software development kits (SDKs) integrated into its apps that help deliver ads to users. Cheetah suggests SDKs might be responsible for the behavior.
Simmons said third-party SDKs are not involved in the click injection process detailed in Kochava's research and the article.
"The explanation provided by Cheetah refers to SDKs meant for ad delivery in-app. The fraud detailed in our research and the related article does not look at in-app ad delivery from the apps in question, but instead the syndication of fraudulent signals taking place on the device when the apps are present," he said in an email.
BuzzFeed News also asked Praneet Sharma, the CTO of ad fraud investigation firm Method Media Intelligence, to conduct an independent review, and he came to the same conclusion as Kochava.
Kochava and Sharma both found that Cheetah's apps listen for when a user downloads a new app. They then launch the new app without the user's knowledge and "inject" a claim to have caused the download. App developers pay a fee that can range from 50 cents to $3 for each new app installation. Click injection helps Cheetah's apps claim a portion of that fee.
Cheetah issued a second press release after markets closed on Tuesday to deny it engages in click injection and threaten legal action. It also said the two stories from BuzzFeed News contain "numerous untrue and misleading statements," though it did not detail the inaccuracies.
"The Company plans to take legal actions against those parties such as Kochava and the responsible persons that the Company believes have generated and disseminated those untrue and misleading statements," it said.
Cheetah's earlier statement also addressed its use of user permissions to watch for app downloads and launch new apps. "The Company is dedicated to complying with all relevant Google policies, GDPR, laws and regulations," it said.
The Cheetah apps engaged in click injection are Clean Master, CM File Manager, CM Launcher 3D, Security Master, Cheetah Keyboard, Battery Doctor, and CM Locker, according to Kochava.
The story was updated to include a statement from Cheetah Mobile that it voluntarily removed CM Locker and Battery Doctor from the Play store.
Comments from Cheetah's second press release were added.