Hidden within the all too frequent reports of malware-laced apps and adware lurking on Google’s Play Store, there is an ominous theme—networks of Chinese developers sharing code, resources and know-how. And it’s this that’s behind the latest warning from VPNpro in a new report claiming that a large, government-linked Chinese company is “secretly behind 24 popular apps seeking dangerous permissions.” And while such apps are often dismissed as a nuisance, the team warns that these ones may be involved in “much more malicious behaviour.”
I shared the findings of the report with Google, and the tech giant acted swiftly and decisively, removing all of the apps listed in the report from the Play Store—apps with 382 million installs in combination. “We take reports of security and privacy violations seriously,” Google told me. “If we find behaviour that violates our policies, we take action.” And that’s certainly what has happened here.
The new findings came to light when VPNpro delved further into the Chinese networks it found to be behind popular VPN products on the store—I’ve reported before on the VPN developers in China and Hong Kong. One of those companies, it says, is especially worrying. Hi Security, VPNpro claims, requests particularly dangerous permissions within its VPN apps. And so the team says it decided to investigate, finding links to a Chinese company called Shenzhen HAWK that is “secretly” behind Hi Security as well as four other app developers.
Shenzhen HAWK is a subsidiary of TCL Corporation, a huge and partially state-owned Chinese electronics corporation that has licensed branded manufacturing rights from Alcatel, BlackBerry and HP/Palm. A year ago, ZDNet reported that TCL was responsible for the malware-laced Weather Forecast app that was preinstalled on Alcatel smartphones, and which “surreptitiously subscribed device owners to premium phone numbers behind their backs.”
But this, it now seems, is just the tip of the iceberg when it comes to this network of dangerous apps, threatening hundreds of millions of Android devices. Virus Cleaner, another of the Hi Security apps, was the subject of an Indian government warning in 2017, identified as hiding “spyware or other malware.”
I shared the report’s findings with TCL ahead of publication, but there has been no comment as yet—anything received will be added here.
In its report, published today (February 3), VPNpro maps out the Shenzhen HAWK network—the five linked developers and those 24 apps.
VPNpro provided me with a list of the 24 apps and their APKs, saying that as at January 31 all but two (Super Battery and Dig It) were still available to download and install from the Play Store. Google has now removed the rest. If you have any of those apps installed, VPNpro recommends that you “take matters into your own hands—deleting them from your phone as soon as possible.”
The breadcrumbs leading to Shenzhen HAWK’s network of apps are not hard to follow, VPNpro reports. On its own website, the company lists 13 apps from five developers. Those five developers are behind the 24 apps disclosed by VPNpro.
So are users genuinely at risk? Well, let’s take a look at the permissions these mostly trivial apps request when they are installed—this is the key to the level of access users are granting to their digital secrets. In short, the risks users open themselves up to are predicated on the permissions they provide.
Of the 24 apps listed in the report, six request access to a user’s camera and two to the phone itself, meaning they can place calls. 15 of the apps can access a user’s GPS location and read data on external storage, while 14 can collect and return details of a user’s phone and network. One of the apps can record audio on the device or its own servers, another can access a user’s contacts.
You get the point.
Once installed, these apps can communicate with an external server controlled by their developers. By retrieving location and user details, the lowest risk is that this fuels targeted marketing, with user data sold to advertisers who will then be able to personalise unwanted ads for those users. Those servers are in China, and at least one of those apps—Weather Forecast—was reportedly sending user data there. The permissions granted would enable premium calls to be made, websites to be visited and additional malware to be dowloaded onto a device.
And this is the crux for users. Forget the apps themselves. Once a device is compromised, the door has been unlocked and left ajar. It is trivial for an app to trigger the install of others and even to determine the best type of malware for the specific device, based on language, location, even user behaviours.
Please give due care and attention to the apps from unknown developers that you allow onto your devices. These risks are real. The permissions being requested are real, as are the past issues with malware and data theft.
For its part, Google is working to combat the dangers on the Play Store, and in establishing the App Defense Alliance with third-party security research firms, the U.S. giant seems to be taking this issue seriously. But right now, the onus remains on the user community to be cautious and to apply common sense to their downloads and installs, just as they do with the websites they visit and the email or message attachments they open.
As VPNpro warns, “apps that seem innocent may actually be reading and changing your files, selling your data, or much worse—remember, you are the last line of defence against malicious software.”
Needless to say, if you have any of those 24 apps installed on your phones you should delete them and all of their data right away.
—
Updated on February 4 with Google’s confirmation of the Play Store expulsion of all 24 apps listed in the report.
