Google Play Apps With Over 4.3 Million Downloads Stole Pics, Pushed Porn Ads

Google has banned dozens of Android apps downloaded millions of times from the official Play Store after researchers discovered they were being used to display phishing and scam ads or perform other malicious acts. Ars Technica reports: A blog post published by security firm Trend Micro listed 29 camera- or photo-related apps, with the top 11 of them fetching 100,000 to 1 million downloads each. One crop of apps caused browsers to display full-screen ads when users unlocked their devices. Clicking the pop-up ads in some cases caused a paid online pornography player to be downloaded, although it was incapable of playing content. The apps were carefully designed to conceal their malicious capabilities. The apps also hid their icons from the Android app list. That made it hard for users to uninstall the apps, since there was no icon to drag and delete. The apps also used compression archives known as packers to make it harder for researchers -- or presumably, tools Google might use to weed out malicious apps -- from analyzing the wares.

Trend Micro researchers discovered another batch of apps that falsely promised to allow users to "beautify" their pictures by uploading them to a designated server. Instead of delivering an edited photo, however, the server provided a picture with a fake update prompt in nine different languages. The apps made it possible for the developers to collect the uploaded photos, possibly for use in fake profile pics or for other malicious purposes. The developers took pains to prevent users from detecting what was happening. "The remote server used by these apps is encoded with BASE64 twice in the code," Wu wrote. "In addition, several of these apps can also hide themselves via the same hidden technique mentioned above."

How do these bullshit apps get so many downloads?

I mean really?

Holy fuck google!

You can lock down the chrome browser so tight that extension developers can hardly do their jobs, but you have seemly no control of your play store?!?

I blame java. Itâ(TM)s so wordy that nobody wants to audit the code. :p

Re:Holy fuck google!

[TheRaven64]

It's quite understandable. The goal of the Play Store is to make it possible to install things that use Google Play Services and provide personal information on users to Google. Similarly, the goal of Chrome is to make it easy to load web pages that depend on Google Ads and Google Analytics, to send personal information on users to Google. Both are doing their job. Tightening restrictions on Chrome extensions makes it harder for things that prevent Google from data harvesting. Weakening restrictions in the Play Store makes it easier for things that data harvest on behalf of Google. They're entirely self consistent activities.

Re: How do these bullshit apps get so many downloa

If you install and uninstall (but not remove it completely from your play library), it still counts as a download.

Presumably people were smart enough to see that the beautify app didn't work and stopped using it... It's pretty stupid since any service that uploads pictures can do whatever with it, regardless the platform

Why is a third-party firm doing Google's job?

Obviously these malicious programs can be found using more effort than Google expends. So why is the multi-billion dollar company responsible for the store not doing these more-rigorous tests?

Re:Why is a third-party firm doing Google's job?

Obviously these malicious programs can be found using more effort than Google expends. So why is the multi-billion dollar company responsible for the store not doing these more-rigorous tests?

Google makes money off of advertising, so does Facebook.

Facebook found a new revenue stream in getting users to use VPN software that was constructed to allow Facebook to see everything they did.

When action is taken against these privacy destroying companies it will not be soon enough.

OMG!

[bob4u2c]

"The remote server used by these apps is encoded with BASE64 twice in the code," Wu wrote.

Those tricky devils!

Re: OMG!

That part made no sense. Its like in the movies when they have to make up tech words to explain the big hack they are trying to pull off.

Did they use QUADRUPLE ROT13 encryption, too?

[WoodstockJeff]

Stronger than D-ROT13, and MORE FIENDISH!

It's not stolen

If the users gave the app permissions when it asked for access to local media files. Android apps have to beg for access using system dialogs, so they can't hack their way into your nude selfies.

Re: It's not stolen

I banned google play and anything that uses it HAHA!

AAAAHAHAHAHAHAHA!!!

My sides, they're exploding, I'm laughing so hard!
You idoits and your ridiculous 'smartphones'! You were warned about them now you get what you so richly deserve: CUCKED.

Come on Humans, throw your stupidphone away and get a normal dumbphone and stop getting used like a toilet!

Re: AAAAHAHAHAHAHAHA!!!

Sounds like you are familiar with being used as a toilet and a cuckold. But as sad as your life may seem today there is hope in Jesus if you will submit.

Or not.

Re:AAAAHAHAHAHAHAHA!!!

[zieroh]

I think you're projecting again.

Re:AAAAHAHAHAHAHAHA!!!

LOL you dumb ASS I have never nor will I ever have a goddamned smartphone, you NINNY, because I knew better and you're all IDIOTS!

Re:AAAAHAHAHAHAHAHA!!!

[zieroh]

I didn't say you had a smartphone, nor did I say you need one. I said you're projecting.

So not much worse than Google's own apps?

I'm not defending the scam apps, but Google doesn't exactly hold the moral high ground, here.

Re:How do these bullshit apps get so many download

[AHuxley]

Like shareware and postcardware https://en.wikipedia.org/wiki/... during the early years of computing the apps do one needed task and do it well.

The List in plain text

[Freshly+Exhumed]

Indicators of Compromise (IoCs)

Package "Label" Installs

com.beauty.camera.years.pro "Pro Camera Beauty" 1,000,000+
com.cartoon.art.photo.ygy.camera "Cartoon Art Photo" 1,000,000+
com.lyrebirdstudio.emoji_camera "Emoji Camera" 1,000,000+
art.eff.filter.photo.editor "Artistic effect Filter" 500,000+
art.filter.editor.imge "Art Editor" 100,000+
com.beauty.camera.project.cloud "Beauty Camera" 100,000+
com.selfie.camerapro.pro "Selfie Camera Pro" 100,000+
com.camera.beauty.kwok.horizon "Horizon Beauty Camera" 100,000+
com.camera.ygysuper.photograph "Super Camera" 100,000+
com.effects.art.photo.for.self "Art Effects for Photo" 100,000+
com.solidblack.awesome.cartoon.art.pics.photo.editor "Awesome Cartoon Art" 100,000+
com.photoeditor.artfilterphoto "Art Filter Photo" 50,000+
com.photocorner.artfilter.arteffect.prizma "Art Filter Photo Effcts" 10,000+
com.picfix.cartoonphotoeffects "Cartoon Effect" 10,000+
com.picsartitude.arteffect "Art Effect" 10,000+
com.csmart.photoframelab "Photo Editor" 5,000+
com.wallpapers.nuclear.hd.hd3d.best.live.nuclear "Wallpapers HD" 5,000+
com.perfectmakeup.magicartfilter.photoeditor.selfiecamera "Magic Art Filter Photo Editor" 5,000+
appworld.fillartphotoeditor.technology "Fill Art Photo Editor" 1,000+
com.artflipphotoediting "ArtFlipPhotoEditing" 1,000+
com.artphoto.artfilter.artpiczone "Art Filter" 1,000+
com.photoeditor.cartoonphoto "Cartoon Art Photo" 1,000+
com.photoeditor.prismaeffects "Prizma Photo Effect" 1,000+
com.cmds.artphotofiltereffect "Cartoon Art Photo Filter" 100+
com.latestnewappzone.photoartfiltereditor "Art Filter Photo Editor" 100+
com.livewallpaperstudio.pixture "Pixture" 100+
app.pixelworlds.arteffect "Art Effect" 50+
timepassvideostatus.photoarteffect.cartoonpainteffect "Photo Art Effect" 10+
com.techbuzz.cartoonfilter "Cartoon Photo Filter" 5+

Package "Label" Installs

Re:The List in plain text

Just.ditch.any.app.using.lots.of.periods.
They.don't.HAVE.to.do.that.you.know.
Bad.actors.like.silly.naming.conventions.

Re: The List in plain text

You are an idiot lol.

The Problem with App Stores

[duke_cheetah2003]

The basic problem (and benefit, sadly) of these wretched App Stores is pretty simple. They put everyone on a level playing field to publish apps. This seems like a good thing, but it's not. Not even close.

Gone are the days of going to a reputable vendor to acquire software you're interested in. Instead, you search the app store, and reputable and disreputable apps are offered up.

This is a serious problem and the Achilles heel of App Store, and why I've railed against them for years. They are not a good idea, not even close. We need to go back to the previous way of doing things, where reputable companies are rewarded by customers when they act responsibly, and disreputable companies go out of business cuz no one buys their garbage.

The App store model short circuits this, and when an App is found to be malicious, the publisher found to be disreputable, they just fold up their junk and republish under a new name, with a new malicious app. This is really broken folks.

Re:The Problem with App Stores

That's why the Apple app store is reviewed by actual humans. Google is just cheap.

Re:The Problem with App Stores

Well, wrong.
Before, you could buy/download sw from the whole world. So you went to stores with a reputation, or stuck with some vendors. Or you could take your chances...

The app store isn't "a vendor". It is "the world". You can still restrict yourself to reputable vendors within the app store. Want a pdf reader? The adobe one is probably not a logic bomb. Want funny little games? Go with someone who has made funny little games for 5 years. They have a reputation they don't want to loose.

New guys on the block? Let them be, for a couple of years. Unless a thorough review comes through.

Re:How do these bullshit apps get so many download

[zieroh]

Wait -- so this means that Google has the ability to ban any app, for any reason they choose, at any time? I think this is a far bigger story. Do we really want to live in a world where Google has absolute control over any application on their platform?

Thanks Google!

The fucking retards at google have screwed up YET AGAIN. Does google only hire morons now? Apparently so, if their quality control dept. is any indication. I can't think of a stupider company. Please die already, google, and make the world a better and safer place.

Re:Thanks Google!

But to get hired at Google you have to go through 16 hours of doing algorithm puzzlers on a white board, so that proves their employees must be good!

Double BASE64

The remote server used by these apps is encoded with BASE64 twice in the code

Is this method better than double ROT13?

Why not me?

[AndyKron]

How came I never get apps that push porn? I feel somehow cheated.

Re:Why not me?

[sheramil]

You have to pay extra for that.

I observe that the compromised apps are all of the variety that apply cute stickers to selfies. I wonder what sort of porn those users are being targeted with? Perhaps deepfakes of themselves.

Serious Issue!

Google needs to act on this

Takes one to know one

[DrXym]

I have Trend micro installed at work, it interferes with the OS, deletes software even code I've written and I'm debugging, locks files, slows down internet access and has annoying popups. I can't delete this junk due to corp policy. I lose hours of productivity every week due to it. Believe me, if you install TM products to deal with the problem of malware, then now you have two problems.

Re:Takes one to know one

I think you are confusing Trend Micro with Windows 10.

Re:How do these bullshit apps get so many download

Do we really want to live in a world where Google has absolute control over any application on their platform?

It doesn't matter if you want it or not. You do live in that world.

Common in PHP-based malware

[raymorris]

I found that interesting because that has long been common in PHP-based malware, snippets that bad actors add to legitimate PHP pages. Many years ago I wrote software to scan a web server for malware and base64_decode was one thing it looked for.

Re:Common in PHP-based malware

[dgatwood]

Of course, it's also the way you move protobufs from client to server, so don't be surprised if you see it used pretty frequently in some server software. :-)

Google may be more rigourous, find 99.99%

[raymorris]

I understand your frustration. Unfortunately, in security the defender can do a very good job and still miss an attack.

"Missed one" doesn't mean they didn't catch and stop 10,000 others. Google could be catching and preventing 99.99% of attempts to put something nasty in the Play Store, and still some would get through - 0.01%, to be exact.

What we know is that Google didn't do the exact same checks that these researchers did, at the exact same time, on the same apps.

This isn't to excuse any weaknesses that Google may have, simply pointing out the reason security is hard. If the defender is successful 99.9% of the time and the attacker only 0.1% of the time, the attacker wins.

On the other hand, if the attacker gets away with 99 times before being criminally prosecuted one time, they lose. So there's that.

You're getting "as bad" as me (lol)... apk

See subject & hosts results vs. threats in https://tech.slashdot.org/comm... https://yro.slashdot.org/comme... https://it.slashdot.org/commen... https://linux.slashdot.org/com... https://news.slashdot.org/comm... https://apple.slashdot.org/com... https://it.slashdot.org/commen... https://it.slashdot.org/commen... https://it.slashdot.org/commen... https://it.slashdot.org/commen... https://it.slashdot.org/commen... https://it.slashdot.org/commen... https://search.slashdot.org/co... https://it.slashdot.org/commen... https://it.slashdot.org/commen... https://tech.slashdot.org/comm... https://tech.slashdot.org/comm... https://apple.slashdot.org/com... https://tech.slashdot.org/comm... https://it.slashdot.org/commen... https://tech.slashdot.org/comm... https://tech.slashdot.org/comm... https://science.slashdot.org/c...

* That's only recently while I've been on Linux (July 2018) & 100's of times vs. MANY other botnets/malwares etc. in the past circa 2006-early 2018 while I was on Windows: CONCRETE VERIFIABLE UNDENIABLE REALITY (see those links as proof). ... & that's ONLY what /. reported on (there were FAR more)

APK

P.S.=> "It's working: Neville... it's working!" - "I AM LEGEND" + HOSTNAME USE IS DOWN IN MALWARE https://unit42.paloaltonetwork... (my ACT OF FAITH is JUSTIFIED by fact)... apk

Walled garden

[DogDude]

The problem is the stupid walled garden of "smart" phones. Either you're being fucked by Apple or Google. Take your pick. There's no way around it.

Re:How do these bullshit apps get so many download

[TheRaven64]

That's not news because the fact that Google and Apple have complete control over their respective app stores is well known. Apple's control over iOS is tighter than Google's control over Android in some ways because at least there are alternative ways of getting pre-built applications for Android (for example, Amazon's app store or F-Droid), whereas the only ways of installing apps on an iOS device other than from Apple's store are to build them from source (on a Mac) or to have a corporate account that lets you install internal apps on a limited number of devices.

The more troubling thing is the number of Android apps that depend on Google Play Services and so won't work on an Android phone without some proprietary Google code running with elevated privileges, even if you could get them from another source.

Re:How do these bullshit apps get so many download

We don't. Google has control over what's in their "play store". You can sideload anything you like, including stuff Google hates.

Re:How do these bullshit apps get so many download

Most people are entitled, cheapskate, tech illiterates who don't understand anything about computer security while simultaneously wanting everything for free. They end up downloading practically everything that has an even slightly enticing description.

This is why I tell my tech newb friends and family to let me know before they install anything on their computers or phones so that I can check it out and make sure it's safe and doesn't request unnecessary permissions, contain spyware, ads or IAPs.

Apps hide themselves!?!

[dgatwood]

Wu wrote. "In addition, several of these apps can also hide themselves via the same hidden technique mentioned above."

Wait.... Why is that even possible? Every app that is installed should have an icon on the home screen, and if the icon is missing or damaged, the OS should substitute a default icon. Is there some valid/reasonable use for this behavior that I'm missing? If not, it seems like the right fix is to just remove the feature.

Re:Apps hide themselves!?!

[tlhIngan]

Wu wrote. "In addition, several of these apps can also hide themselves via the same hidden technique mentioned above."

Wait.... Why is that even possible? Every app that is installed should have an icon on the home screen, and if the icon is missing or damaged, the OS should substitute a default icon. Is there some valid/reasonable use for this behavior that I'm missing? If not, it seems like the right fix is to just remove the feature.

Unfortunately it's not possible due to Android architecture. An APK file is not just an app, but can be services or other things. And unlike Apple, where every app must have an icon, there are plenty of APKs in the Android system itself that do not have icons (usually system services and other stuff). So on Android, if you install a new keyboard, it won't have an icon in the launcher and it will auto-hook itself to the keyboard input panel. On iOS, it would do the same thing, however it would have an icon where you would learn more about what it does at the very minimum and maybe offer some options you can adjust.

Re:How do these bullshit apps get so many download

Sideloaded apps don't come from their platform, genius.