PSA: Security researchers recently discovered over two dozen malicious Android apps that had become popular on the Google Play Store. They masquerade as innocuous tools while secretly monitoring users and stealing their information. Google removed most of them, but they likely remain installed on many devices.
This week, security group Dr. Web published its June 2022 mobile virus activity report describing around 30 popular Android apps containing trojans, adware, spyware, and other malware. Some had hundreds of thousands or even millions of Google Play Store downloads.
The malicious apps mostly appear as photo editors, theme customization, and wallpaper apps. The list also had an emoji keyboard and note-taking app hiding malware in their coding.
Once users install them, they will display intrusive ads, scam customers, and grab information from devices while hiding themselves from users. One specifically targets WhatsApp messages. Another steals information from other app notifications, downloads additional software, or prompts users to install other apps.
Others are even more vicious, including one that covertly takes videos and photos. Another allows hackers to read a device's texts, track its location, view its browser history, turn on its microphone, log keystrokes, and access other data.
Dr. Web also describes malware that steals information to hack Facebook accounts. They may ask victims to log into authentic Facebook sign-in prompts before intercepting the input data. Another type of malware hiding in scam apps downloads and runs arbitrary code that secretly enrolls users into paid subscriptions.
Some apps provide their advertised functionality while hacking users under the hood. However, others are entirely bogus, like simulated dating services that ask for personal information and subscription payments to continue fake chats.
Some of the malware consists of adware that displays annoying ads. They show various notifications and load full-screen ads that block other apps entirely.
Once downloaded, these fraudulent apps may ask for various permissions to let them secretly monitor users and steal data. These include prompts to continuously run in the background, display on top of other apps, or disable recording notifications. The apps might also replace their original home menu icons with less conspicuous ones to hide.
Google removed almost all the affected apps after Dr. Web notified the company, but a few are still on the Play Store. Dr. Web publicly posted the complete list of bad apples (sample below). If you installed any, you should manually search for them, delete them, and then run a virus scan.
- Photo Editor: Retouch & Cutout (de.nineergysh.quickarttwo)
- Photo Editor: Art Filters (gb.painnt.moonlightingnine)
- Photo Editor & Background Eraser (de.photoground.twentysixshot)
- Photo & Exif Editor (de.xnano.photoexifeditornine)
- Photo Editor - Filters Effects (de.hitopgop.sixtyeightgx)
- Emoji Keyboard: Stickers & GIF (gb.crazykey.sevenboard)
- Neon Theme - Android Keyboard (com.androidneonkeyboard.app)
- Fancy Charging (com.fancyanimatedbattery.app)
- FastCleaner: Cashe Cleaner (com.fastcleanercashecleaner.app)
- Call Skins - Caller Themes (com.rockskinthemes.app)
- Funny Caller (com.funnycallercustomtheme.app)