Google yanked some 29 photo apps from the Play Store this week after they were discovered to have malicious code that pushes full-screen ads, steals information from users by tricking them into believing they have won a contest, and in some cases even lifted photos from devices to send to the malware designers behind the apps, Engadget reported this weekend.
According to a blog post by cybersecurity service Trend Micro, some of the apps (categorized as AndroidOS_BadCamera.HRX) were downloaded millions of times, with a large number of the downloads originating in Asia and “particularly in India.” Some of the apps hid themselves from the application list, apparently in the hopes that users would forget they were installed, and none of the apps gave any indication that they were the ones loading ads on the user’s devices, Trend Micro wrote. All used various tricks to prevent analysis, including packers (compression archives) and remote servers that were “encoded with BASE64 twice in the code.”
The “contest” app prompted users to click through a series of screens before it hit them up for personal information. Trend Micro discovered that another batch of apps on the Play Store purporting to be “beauty” filter programs contained code that allowed its developers to steal photos:
These apps seemingly allows users to “beautify” their pictures by uploading them to the designated server. However, instead of getting a final result with the edited photo, the user gets a picture with a fake update prompt in nine different languages. The authors can collect the photos uploaded in the app, and possibly use them for malicious purposes—for example as fake profile pics in social media.
Trend Micro wrote that the apps all took pains to appear as legitimate as possible, meaning that the main method users could tell something fishy was going on would be to read reviews (which in at least one case, immediately pulled up users who wrote “Disgusting !stupid!Listen you stupid” and “if u download it u r phone will be hacked. worst app”).
Three of the malicious apps, Pro Beauty Camera, Cartoon Art Photo, and Emoji Camera, had well over a million downloads. 11 others were downloaded at least 100,000 times. That’s an awful lot of malware spreading through the Play Store, though that’s nothing new. As Wired noted in 2017, hackers can use a variety of tricks to evade Google’s automated security measures, including executing malicious code on a timer so that it’s already been scanned by the time it happens, encrypting functions so that they can’t be detected, or attempting to download additional malware directly from attacker’s servers.