Wandera’s threat research team has discovered two adware apps on the Google Play Store with a combined 1.5M+ downloads. The apps are both selfie filter camera apps with similar functionality.

Adware is usually viewed as a nuisance for the end-user. However, mobile adware can kill productivity leading to more serious repercussions for businesses. Intrusive out-of-app ads interrupt users in the middle their workflow, brick their devices, drain the device battery, and in some cases, infected devices need to be replaced altogether.

Adware enables authors to make money from affected devices and while it is typically regarded as more of a nuisance than a severe threat, these particular apps have more advanced functionality than your average adware.

The first app is called Sun Pro Beauty Camera and has more than 1 million downloads on Google Play. The second is Funny Sweet Beauty Selfie Camera and has over 500,000 downloads on Google Play.

During our testing on a device running Android 5.1.1, we observed the following functionality across both apps:

  • Once installed, the app icon is visible in the app drawer.
  • When the app is opened, it creates a shortcut and then removes itself from the app drawer.
  • Even after uninstalling the shortcut, the app stays active and can be seen running in the background.
  • The ad behavior differs between the two apps:
    • Testing on Sun Pro Beauty Camera showed that even if the app is never opened and even after restarting the device, full-screen ads start to pop up that are difficult to close.
    • Testing on Funny Sweet Beauty Camera showed that the full-screen ads begin to appear outside of the app only when a filtered photo is downloaded via the app, locally on the device.

In some ways, the functionality is similar to these adware apps discovered by Trend Micro in August.

Both apps have negative reviews on Google Play, which is often (but not always) an indicator of a bad app that has a primary objective of stealing data or carrying out other malicious activities rather than providing a good user experience.

In addition, the APKs of both apps are packed with a Chinese packer, Ijiami. Packers are often used to protect the APK from being unwrapped and analyzed. This functionality is usually used by gaming apps to prevent other developers from copying them, so it isn’t a clear indicator of ill intent.

The apps also have some concerning permissions which are listed below:

Sun Pro Beauty Camera permissions

  • RECORD_AUDIO – Allows the app to record audio at any time without user confirmation
  • INSTALL_SHORTCUT – Allows one part of the “stealthy” behavior
  • SYSTEM_ALERT_WINDOW – Allows the app to display content over another app

Funny Sweet Beauty Camera permissions

  • RECORD_AUDIO – Allows the app to record audio at any time without user confirmation
  • RECEIVE_BOOT_COMPLETED – Allows the app to activate after the phone is booted
  • SYSTEM_ALERT_WINDOW – Allows the app to display content over another app

Read more about Android app permissions here.

Wandera Threat Labs reported the apps to Google on September 11, 2019.

Recommendations

To minimize the impact on your organization, we recommend following these steps:

  • Check your app inventory for installations of these apps (Wandera customers can see this in the Security Threat View where the apps will be flagged as adware)
  • Remove instances of the apps if they have been installed
  • Always vet the security of apps, even if they are downloaded from official stores (Wandera customers can do this using App Insights)