Malicious ‘Beauty Camera’ Apps that Steal Personal Pictures

At least 4 million Android users have reportedly got their devices infected with malicious beauty camera apps that are downloaded from Google play and which could steal personal pictures.

Security researchers at Trend Micro discovered these malicious apps, which have been downloaded millions of times. In a detailed blog post, Lorin Wu, Mobile Threats Analyst at Trend Micro writes, “We discovered several beauty camera apps (detected as AndroidOS_BadCamera.HRX) on Google Play that are capable of accessing remote ad configuration servers that can be used for malicious purposes. Some of these have already been downloaded millions of times, which is unsurprising given the popularity of these kinds of apps. A large number of the download counts originated from Asia — particularly in India.”

A user who downloads one of these apps won’t suspect anything wrong until he decides to delete it. He would find it difficult to uninstall the app, which hides its icon from the application list. The user would thus be unable to drag and delete the app. Trend Micro researchers also found that these camera apps use packers that prevent them from being analyzed. Moreover, when a user unlocks his device, this app would push several full-screen ads, which would pop up via the browser. These ads include malicious ads, sometimes containing pornographic or other fraudulent content. Lorin Wu writes, “During our analysis, we found a paid online pornography player (detected as AndroidOS_PornPlayer.UHRXA) that was downloaded when clicking the pop up. Take note, however, that nothing will play, even after the user pays and executes the player.”

A notable thing about these ads that pop up is that the user won’t be able to determine where the ads are coming from. He won’t realize that the ads are because of the app he has downloaded. The Trend Micro blog post also says that some of these apps redirect users to phishing websites that ask for personal info, including phone number, address etc.

The Trend Micro researchers also found, on investigating further, some malicious camera apps that could be used to steal pictures and use them for malicious purposes. The Trend Micro blog post explains, “Further investigation led to another batch of photo filter-related apps that share similar behavior on Google Play. These apps seemingly allows users to “beautify” their pictures by uploading them to the designated server. However, instead of getting a final result with the edited photo, the user gets a picture with a fake update prompt in nine different languages. The authors can collect the photos uploaded in the app, and possibly use them for malicious purposes — for example as fake profile pics in social media.”

Researchers found 29 such apps, all of which claimed to be camera or photo-editing related. The most popular among these were “Pro Camera Beauty,” “Cartoon Art Photo,” and “Emoji Camera,”; each of these apps was downloaded more than one million times.

Google, on being intimated of these apps, had taken down all of them. The Trend Micro analysts advise users to check the legitimacy of apps before using them. Lorin Wu writes, “Given that many of these malicious apps take great pains to look as legitimate as possible, users should always investigate the legitimacy of an app. One good method of doing this is by checking reviews from other users. If the reviews mention any kind of suspicious behavior, then it might be a good idea to refrain from downloading the app.”