All

Posted on

AppLovin Execution Path

This post is part of AppLovin Nonconsensual Installs. See important disclosures.

A reliable way to understand what software does is to examine its source code and trace the execution path.  This is rarely possible for compiled code, but AppLovin is largely Java, which can be decompiled using tools such as JADX.  I reviewed decompiled source code alongside the full app manifests and relevant resource files embedded within APKs.  Together, these materials reveal both what the apps are permitted to do (via permissions), how execution proceeds from function to function, and, ultimately, what occurs.

Let me remark on three key challenges in interpreting the decompiled code.  First, length.  After decompilation using JADX, the AppHub APK totals a remarkable 626,053 lines of code.  Then there’s more in the AppLovin SDK, in install helpers, in manifests, and in JavaScript.  Of course most of the code is irrelevant to app installs.  In the excerpts linked below, I focus on what I found to be relevant.  But the execution path remains lengthy even after excerpting.

Second, both decompilation and deliberate obfuscation by AppLovin make parts of the code difficult to read.  Decompilation recovers some labels (function names and variable names), but others are lost and must be generated by JADX – yielding labels that are difficult to interpret (such as AbstractC1838d0) and not the labels actually used in AppLovin’s source code.  Meanwhile, AppLovin intentionally obfuscated (minified) its JavaScript—not unexpected, because they have no reason to help anyone read it, but still an impediment to understanding.

Third, Android’s architecture—including coroutine continuation functions for multithreading—adds further complexity.  This code is not the simple a() calls b() calls c() taught in introductory programming classes.

Nonetheless, with knowledge of Java syntax and Android architecture, and with determination and grit, the execution flow is apparent.  I worked on understanding this code on-and-off from February to September 2025, and I now feel I have a good understanding.  My remarks below are my best effort under important constraints, including both the size of the task and AppLovin’s intentional obfuscation.  I cannot guarantee perfection.  See my disclosures.

In the index below, I present code in the sequence in which it operates.  Where a function name is less than self-explanatory, I remark on its purpose.  In the linked pages, I introduce each block of code with a short narrative about key steps, and I use red text to mark the flow from one step to the next.  Occasional comments, marked with the prefix // , are added by me to explain selected areas.

In the AppLovin SDK

trackAndLaunchClick()

startDirectInstallOrDownloadProcess()

showDirectDownloadAppDetailsWithExtra()

AppHub mRemote.transact()

In AppHub wrapper

onTransact()

showDirectDownloadAppDetailsWithExtra() with service method AbstractC1838d0.m3826C(),delegate C2823r(), and Kotlin coroutine continuation with entry point mo410()

BinderC2829u.m4811d() creates intent DirectDownloadActivity

c3429t1.m5750a()

C3394o1 with continuation entry point mo410(r)

In DirectDownloadActivity

onCreate()

onAppDetailsCreate()

setupAppDetailsFragment() and coroutine continuation class C3359j1 with continuation entry point mo410r()

DirectDownloadMainFragment C3374l2 and onViewCreated mo1147B() with coroutines C3339g2, C3332f2, and C3325e2, plus coroutine continuation orchestrator M5734P and URL builder m5748L

AbstractC3404p4.mo1147B() with C3334f4 and C3320d4 (WebView loader)

DirectDownloadMainFragment continuation entry point mo410r()

WebView loads JavaScript resources that implement auto-install

C4785e (WebView loader)

Variable wt (default configuration)

Wt() checks IsAutoInstall and installs if set

C() checks isOneClickInstallOnCloseEnabled and installs if set

Wt() checks if AutoInstallDelayMs is set, and if so uses av() to hook a timer’s onExpire event to the install function

c() install function

Ge.installApp() hooks /install-app endpoint

makeNativeXhrRequest()

makeHttpRequest() wraps browser-native XMLHttpRequest

Java URL interceptor prepares to run T-mobile InstallerHelper

DirectDownloadMainFragment C3374l2 creates C3298a3 which creates C5252f (WebView interception manager)

C5252f registers endpoint handler C5461u for /install-app

C5461u activates DirectDownloadPackageManager C2495r1 with coroutine resume function m4446F()

C0033f0 creates C0023a0 (installation executor) and coroutine resume function m431o() and continuation entry point mo410(r)

mo410(r) runs T-Mobile InstallerHelper startInstall()

In T-Mobile InstallerHelper

m14262a message dispatcher

sendEmptyMesage()

startInstall()

prepareInstall()

performInstallBundle()

m14247a (InstallParams method)

PackageInstaller (Android Package Manager from core Android)

Posted on

Prior Critiques of AppLovin

This post is part of AppLovin Nonconsensual Installs. See important disclosures.

My work follows six prior critiques in which others questioned AppLovin practices, both as to app installations and beyond.  I organize those critiques here, in chronological order, to assist those who wish to reread them. I emphasize those reports and sections that, like my post today, consider nonconsensual installations.

Culper 1 – pages 7-25 about installs

Fuzzy Panda – Part II discusses Direct Downloads and other methods of gaming installs (citing my work), among other subjects

Culper 2 – broader topics: misrepresentation of Chinese ties, national security concerns

Muddy Waters – focused on tracking and persistent identifiers

Mike Shields – on installs (citing me)

Olivia Solon (Bloomberg) – reporting an SEC probe of AppLovin’s data-collection practices

Compared with prior reports, I provide a more detailed technical analysis. For example Solon’s report of SEC inquiry does not provide any source code, screenshots, packet logs, or other direct evidence of data collection violations. I also provide greater proof relative to prior reports of nonconsensual installations. For example, the prior reports about nonconsensual installs present snippets of code, whereas I trace the full execution chain from ad delivery all the way to installation. Similarly, prior reports offer a few complaints about nonconsensual installations, but I offer hundreds, plus I explore patterns of complaints across devices and situations, and I cross-check complaints against details in decompiled AppLovin code.

Posted on

AppLovin – My disclosures

This post is part of AppLovin Nonconsensual Installs.

In January 2025, I was engaged by an investment firm that was skeptical of AppLovin.  They asked me to investigate a range of concerns, including installation practices.  That engagement continued until June 2025.  My agreement with that firm disallows me from revealing its name, but allows me to share all information I figured out from public sources.  Since then, I have had no paid relationship with that firm—or any other investment firm—regarding AppLovin.

As part of my research for this post, I spoke with a range of experts concerned about AppLovin’s practices, including security researchers, journalists, industry analysts, attorneys, and competing adtech firms.  No money changed hands in any of these discussions.  As my post indicates, my primary methodology was forensic: I reviewed AppLovin source code and tested the product first-hand, plus examined user complaints.

From my extended analysis, I became convinced that AppLovin engaged in serious misconduct.  The accompanying report details the methods and evidence supporting this conclusion.

Consistent with my practice whenever contractually permitted, I am releasing this report publicly for anyone to use.  To the best of my knowledge, the information herein is accurate and based on sources and methods I consider reliable.  Nonetheless, all content is provided strictly “as is,” without any warranty—express or implied.  I make no representations as to the accuracy, timeliness, completeness, or likely results of using this information.  My research necessarily contains inferences, estimates, and opinions which may prove inaccurate and are subject to risks and uncertainties beyond my control.

This report is not investment advice.  I make no representation or warranty regarding its completeness or the future performance of AppLovin’s securities.  Readers must conduct their own research and due diligence, including consulting with financial advisors, before making investment decisions.

I hold a financial interest in which I profit if AppLovin’s stock price declines.  I opened this financial interest after completing research, based on my serious concern at what I found.  I may change, reduce, or close this position at any time, without notice.  I do not undertake to update this report to reflect changes in my views or positions.  However, if I conclude that I am mistaken about AppLovin’s technology, I will correct the record publicly.

***

Update, October 16, 2025: I no longer have a financial interest relating to AppLovin.

Posted on

Virgin Atlantic cancelling ticketed and confirmed award travel

I represented Chaim Zeev Rozen in a portion of his formal DOT complaint against Virgin Atlantic.  Mr. Rozen had transferred points from a credit card to Virgin’s frequent flyer program in order to redeem travel for relatives who shared his last name.  Inexplicably, Virgin cancelled the tickets — without telling him or the passengers.

I filed a Reply on Mr. Rozen’s behalf.  I pointed out that, contrary to Virgin’s repeated claim and even its Answer, nothing about his conduct was “fraudulent.” I criticized Virgin’s “fraud detection tools” which supposedly “flagged the booking”. I pointed out that Virgin’s Answer was oddly silent on whether any human even attempted to check whether those tools were correct.  I argued that Virgin did not act reasonably in the penalty it imposed and its handling of Mr. Rozen’s complaint and correspondence alleging error. I identified a DOT regulation and Virgin contract provision that were implicated.

The parties subsequently filed a Notice of Withdrawal of Complaint and Joint Motion to Dismiss, indicating that they reached an amicable resolution of the matter.  A footnote in that filing explains specific improvements Virgin made: new tools to better identify actual fraud, a new process for customer complaints and appeals, and new communications to passengers indicating that bookings have been canceled.  Kudos to Mr. Rozen for his role in bringing about these benefits for the traveling public.

Posted on

Advertising Fraud Detection at VPT Digital

Today I announced joining the security startup VPT Digital as Chief Scientist.  VPT operates in a space I feel I pioneered: Automated testing to find misconduct in affiliate marketing.  As early as summer 2004 (not a typo!), I was catching affiliates using adware to claim commission they hadn’t earned.  I later built automation to scale up my efforts.

Think affiliate fraud is no big deal?  I was proud to recover large amounts for my clients.  For one large client, I once proved that nine of its top ten biggest affiliates were breaking its rules – which might sound like a disaster, and in some sense it was, but ejecting the rule-breakers yielded ample funds to pay more to those who genuinely drove incremental value.  Affiliate marketing experts may also remember Shawn Hogan and Brian Dunning, who faced both criminal and civil litigation for affiliate fraud – allegations that the FBI said stemmed from reports from me.  Litigation reported that defendants collected more than $20 million in 18 months.  “No big deal,” indeed.

The web is a lot messier than when I started down this path, and tricksters use a remarkable range of methods.  Reviewing VPT’s automation, I’ve been suitably impressed.  They test a range of adware, but also cookie-stuffing, typosquatting, and more.  Of course they test Windows adware and browser plug-ins, but they and have Mac and mobile capabilities too.  They test from multiple geographies, at all times of day.  Their testing is fully automated, yielding spiffy reports in a modern dashboard – plus email alerts and API integration.  It’s all the features I used to dream of building, and then some.

I’ll be working with VPT part-time in the coming months and years to continue to hone their offerings, including making their reports even more accessible to those who don’t want to be experts at affiliate fraud.  I’ll also blog about highlights from their findings.

Posted on

Google Discovery Violations in In re Google Digital Advertising Antitrust Litigation

This post is part of Revisiting Litigation Alleging Google Discovery Violations.

In re: Google Digital Advertising Antitrust Litigation1:21-md-03010-PKC. (S.D.NY.)

MDL docket originated August 12, 2021.  First filing as to spoliation May 30, 2025.

May 30, 2025 letter presents MDL Plaintiffs’ request to file motions seeking an adverse inference against Google based on its spoliation — grounded in its scheme to encourage employees to use Google Chat set to automatically delete messages for employees subject to litigation hold; its failure to ensure that employees complied with litigation holds; and its policy to mislabel sensitive information as “privileged and confidential” to attempt to avoid discovery.

Explains the evidence of Google’s intent to spoliate evidence, including employees discussing what information they should discuss where and how.

Summarizes critical remarks from other courts that examined Google’s spoliation.  Donato: “a permissive adverse inference instruction is a reasonable and proportionate remedy to Google’s intentional failure to preserve relevant evidence.”  Mehta: “Google’s failure to preserve chat messages might” “warrant” sanctions. Brinkema: “systematic disregard of the evidentiary rules regarding spoliation of evidence … may well be sanctionable.”

Criticizes’s Google’s “systematic abuse of privilege” including by CEO Sundar Pichai personally, noting his admission that he “marked e-mails privileged, not because [he was] seeking legal advice, but just to indicate that they were confidential.”  Notes criticism from other courts: Donato: “frankly astonishing abuse of the attorney-client privilege designation to suppress discovery.”  Mehta: “the court is taken aback by the lengths to which Google goes to avoid creating a paper trail for regulators and litigants.”  Brinkema: “misuse of the attorney-client privilege may well be sanctionable.”  Notes that other courts only withheld an adverse instruction because it would have been superfluous given the liability findings already made.

Posted on

Public comment on passenger complaint about airline overcharge

Aviation enthusiast Mike Borsetti last month alerted the US Department of Transportation to Qatar Airways adding bogus fees contrary to prior representations: Their online check-in allowed him to select a seat free of charge, but at the airport, both check-in staff and a manager said he’d have to pay to keep that seat.  In response, Qatar tried to trivialize Borsetti’s problem — as if this overcharge doesn’t matter or isn’t important enough for DOT to investigate.  In a public comment filed today, I explained why Borsetti is absolutely right:

First, having already complained to both line staff and a manager at the airport, Borsetti had put Qatar amply on notice of the dispute.  Qatar says he should have complained again, after travel, so they could refund him then.  But two unsuccessful discussions with airline staff is more than enough to justify Borsetti’s decision to bring this matter to a regulator.

Second, by all indications the problem stretches well beyond Borsetti alone, and is bigger than Qatar admits.  Online comments already revealed four other customers with substantially the same problem — online check-in seating dishonored unless customers pay more at the airport.  Of customers affected, only a tiny fraction would both realize they were overcharged and then happen to see the one blog discussing Borsetti’s complaint.  So the problem must be substantial.  And that’s as you’d expect: If there’s a defect in Qatar’s software or process, such as airport systems mistakenly saying a seat fee is due even though online check-in already authorized a seat without charge, that problem would occur for a broad swath of passengers since software ordinarily operates predictably and consistently.

On some level Borsetti’s complaint is unusually simple.  He was overcharged, he wants a refund, and he wants Qatar Airways to stop charging passengers for seats it had said would be free.  Will DOT act to make sure all the other affected passengers — who didn’t realize they were overcharged, or didn’t take the time to complain — are also fully refunded?  And will DOT act to make sure that Qatar Airways finally fixes its systems so this problem doesn’t recur?