Two Android apps found in Google Play which are posed as selfie camera filters and were downloaded by more than 1.5 million times included functionality that secretly records audio without the knowledge of the user.
The main job of these two apps was not spying on users but forcefully pushing adware that covered the entire screen of the Android device.
The two apps namely Sun Pro Beauty Camera had more than one million installations and Funny Sweet Beauty Selfie Camera had been installed over 500,000 times.
According to the security researchers from Wandera who had analyzed the functioning of the two adware apps stated that they had permissions that did not fit with their advertised purpose.
Besides, the normal permissions required by any app that needs access to the camera, there were some concerning ones like SYSTEM_ALERT_WINDOW and RECORD_AUDIO.
SYSTEM_ALERT_WINDOW permission allows the app to overlay arbitrary content. This could be used for clickjacking or to trick users into typing sensitive information, like credentials or banking details.
As per the Android documentation, only few apps should use this permission because overlay windows are intended for system-level interaction with the user. So, the users must simply grant it.
The permission RECORD_AUDIO, allows the app to capture audio using the device’s microphone and the recording would start without telling the user.
To prevent misuse, starting Android 6 (Marshmallow), apps using a dangerous permission must ask for approval during run time and once the request is granted, the app does not ask again.
Researchers tested the adware behavior of the app on a device with running Android Lollipop. After being launched, both apps created a shortcut and then removed itself from the app drawer. This ensures persistence on the device, as users would have to uninstall it from the Apps menu.
Even though both apps display full-screen ads, they are triggered differently. Sun Pro Beauty Camera does not require to be opened for the adware to take over the screen. Even if you restart the phone, it continues to pop-up full-screen ads which are difficult to close.
In Funny Sweet Beauty Camera, unwanted promotions start only when we download filtered photos through the app on to the device.
To protect against analysis, the author(s) of the apps packed the APKs with Chinese packer Ijiami. This does not indicate that all Android apps wrapped with Ijiami are malicious because it is a common practice to use a packer.
Both apps were reported to Google on September 11 and have been removed from the official Android store. However, they continue to make money and compromise the user privacy on devices that has already these apps installed.
The researchers recommend to check for their presence in the Android Settings menu, under Apps, and remove them from there.