Here we go again—more dangerous, malware-laced apps found lurking in Google’s Play Store. Android’s preeminent storefront has come in for serious criticism in recent months, with multiple warnings about malware-laced apps which have often been on the store for months, or even years, and which have been installed by hundreds of millions of users. This latest warning concerns four VPNs and two selfie apps, with more than 500 million installs between them, all of which contain harmful adware and which seek dangerous system permissions that can inflict serious harm.
Such malware warnings have now become a theme, and despite significant efforts to clean house the issue remains prevalent and users remain at risk. Google Play Protect is designed to guard against app vulnerabilities and, in 2018, Google “detected and removed malicious developers faster, and stopped more malicious apps from entering the Google Play Store than ever before. The number of rejected app submissions increased by more than 55%, and we increased app suspensions by more than 66%.”
But yet again we now have warnings that dangerous apps are still available for install on Google’s official store.
First, comes a warning from security researcher Andy Michael about four Android VPNs that are bombarding devices with fraudulent ads—generating revenue for their operators at the expense of the companies placing the ads. The four apps all originate in China, and two have almost identical code. In total the apps have been installed more than 500 million times. That, it hardly needs saying, amounts to a lot of ads and a lot of fraudulent revenue. And so, if you have one of HotSpotVPN, Free VPN Master, Secure VPN, or CM Security Applock AntiVirus installed on your machine you might want to delete that right away.
Full details on the four dodgy VPNs can be found on the VPN Testing website.
Second, comes a warning from security researchers at Wandera that two camera filter apps with more than 1.5 million installs between them have been infecting devices with adware. Sun Pro Beauty Camera and Funny Sweet Beauty Selfie Camera have been filling screens with full screen ads. One of the apps even continued to display its ads when the app remained unopened, suggesting a level of sophisticated malware above and beyond the required code to run basic ad fraud.
With this in mind, the Wandera researchers also warned that the permissions requested by the apps could do more damage than just serving fraudulent ads. These permissions included recording audio without user confirmation, installing shortcuts, serving fake system alerts and automatic loading after a device restart.
The two apps have now been removed from the Google Play Store.
Ad fraud can sometimes be dismissed as a trivial strand of malware, less damaging than subscription or calling fraud, trojans that scrape or steal credentials, or system take-overs that hunt out and exfiltrate data. But harmful code that operates against a user’s interest should always be taken seriously. Even with ad fraud, the damage usually goes beyond a hot CPU and a drained battery.
In recent weeks, we’ve seen reports of dozens of apps with hundreds of millions of installs being found to contain dangerous modules. We have seen reports of tens of millions of devices shipping with malware inside the preinstalled apps. And we have seen Google Play extend the review time for new apps as it looks to combat the issue.
But, as I’ve said before, there’s no substitute for common sense and treating apps from unknown sources as potential threats. Google’s Android (and Apple’s iOS) are making it increasingly easy for users to track permissions granted and app abuse. This is not before time, and everyone should take advantage of all the protections in place, clicking with caution and keeping the doors to their all-seeing smartphones locked from would-be intruders to the extent they can.
There are clever malware attacks out there—and they can be impossible to spot in the wild, that’s not what’s at issue here. Cheap-looking apps like this latest bunch, that promise and deliver little, are rarely worth the risk.