Wandera experts said that two malicious selfie apps, removed from Google Play, traced users and showed ads. One of them lasted two years in the catalog.
A set of their malicious features included showing full-screen advertising banners and covert audio recordings.Potentially dangerous software was placed in the catalog under the guise of Sun Pro Beauty Camera selfie apps (over 1 million downloads) and Funny Sweet Beauty Selfie Camera (over 500 thousand).
The first malware started broadcasting ads immediately after installation. The second waited until the victim decided to download filters to his device.
“Users could suspect something was wrong with the permissions that required an adware application. In addition to access to the camera, they requested the ability to call system alerts and access to the microphone. In principle, these privileges are not needed for taking selfies, and legitimate applications rarely use such opportunities”, – say Wandera experts.
Once on the device, the malware created their own shortcuts on the desktop and removed itself from the list of applications. Thus, if the victim wanted to remove them in the usual way (removing the icon from the screen), only the shortcut would disappear from the device, and the programs themselves continued to and broadcasting intrusive ads to users.
Read also: Chrome has blocked the AdBlock and uBlock extensions due to data manipulation using cookie stuffing
In the code of Funny Sweet Beauty Selfie Camera, experts also found an additional function that helped the malware maintain activity. After rebooting the device, it automatically resumed operation.
“In addition to the usual permissions that any application with access to the camera asks for, others have been discovered, including SYSTEM_ALERT_WINDOW. This feature allows the application to display arbitrary content on top of other applications. This can be used to capture clicks or to trick users into entering confidential information such as credentials or bank details”, — inform Wandera experts.
Another strange resolution is RECORD_AUDIO, which, as the name implies, allows you to capture sound from the device’s microphone without warning. This suggests that, if desired, applications could be used far from just for displaying ads.
How to avoid infection of the phone?
Currently, both infected applications have been removed from the Google Play store. However, the devices on which they are already installed remain at risk. Since it is impossible to get rid of these malware in the usual way, affected users need to go into the settings of their device and perform manual removal.
In recent months, the official Android catalog has been constantly getting into cybersecurity news due to malware. In addition to the relatively harmless adware, experts found spyware, keyloggers, droppers and other malware in the store.
Negative reviews on Google Play can also warn users from downloading false selfie utilities.
