Android pulls 24 ‘dangerous’ malware-filled apps from Play Store

Android users: got a mobile app named Weather Forecast?

If so, you should squash it like a bug. Google’s Play Store has already swatted it, along with 23 other vermin apps, all of which have cumulatively been downloaded more than 382 million times.

Their commonalities: they all come from a Chinese parent company that’s tucked behind a handful of app developers, and they all have a penchant to ask for ‘dangerous’ permissions, harvest data and send it back to Chinese servers, sneakily launch browser windows and click on ads, and/or sign you up for pricey premium phone numbers.

Researchers from VPN Pro recently discovered the bad apps when looking into the dangerous permissions that popular free antivirus apps request.

Such apps are called rogueware. As Sophos’s Roland Yu has explained in this whitepaper, the term describes apps that pretend to detect and fix problems… while also trying to convince you to pay money or even to add more malware. They ask for permission to upload files to your system – a permission that can lead to an app adding malware to your device that, insult added to injury, you’ll have to pay to remove.

VPN Pro Researcher Jan Youngren said in a blog post on Monday that when his team analyzed 23 companies behind 100+ VPN products, a developer called Hi Security with three VPN products under its name popped up. As the researchers kept digging into the excessive, unnecessary, dangerous permissions these apps ask for, the name Hi Security popped up again.

VPN Pro found that Hi Security was just the tip of the iceberg. It turns out that, tucked away behind the app developer Hi Security, is its owner: a Chinese company called Shenzhen HAWK that has yet another four app developers. Shenzhen HAWK is behind the two dozen apps on VPN Pro’s list of apps to steer clear of, some of which are known for containing malware and rogueware.

Youngren said that the Weather Forecast app is infected with malware: during testing, it was seen harvesting users’ data and sending it to a server in China; subscribing users to premium phone numbers, leading to stiff charges on their phone bills; launching hidden browser windows; and clicking on ads.

These apps have been around for years. Youngren cited another case of one of Hi Security’s bad apps, Virus Cleaner. In 2017, the Indian government told its military to delete the app after it was identified as being spyware or other malware.

Then, in 2018, default apps on Alcatel phones – as in, apps that were foisted on users and weren’t downloaded out of their own, free will – were updated to spew adware. The source of the new, adware-gushing default apps? They too were developed by Shenzhen HAWK.

Named and shamed

After Google got a heads-up from a Forbes writer on Tuesday, it yanked all of the 24 apps in the Shenzhen network from the Play store. These are the apps that it removed:

  • HI VPN, Free VPN
  • Soccer Pinball
  • Dig It
  • Laser Break
  • Word Crush
  • Music Roam
  • Word Crossy!
  • Puzzle Box
  • World Zoo
  • Private Browser
  • Calendar Lite
  • Turbo Browser
  • Joy Launcher
  • Virus Cleaner 2019
  • Super Cleaner
  • Hi Security 2019
  • Candy Selfie Camera
  • Super Battery
  • Candy Gallery
  • Hi VPN Pro
  • Net Master
  • filemanager
  • Sound Recorder
  • Weather Forecast

Google had this to say about reports of the apps’ security and privacy violations:

If we find behavior that violates our policies, we take action.

Well, it’s certainly had practice at that.

Examples include that time in September 2019, when we heard about fleeceware in the Play Store that was automatically charging up to $250 to continue using it beyond its three-day trial period.

As we’ve noted before when covering rogue apps in Play Store, Google often doesn’t seem to notice the problem at all until researchers report the apps for malicious or exploitative behavior.

Unfortunately, bad apps often fall through the automatic screening in the app stores if they themselves don’t flagrantly pull malicious stunts but instead pave the way for a device’s compromise, as pointed out by SophosLabs malware analyst Jagadeesh Chandraiah:

Because the apps themselves aren’t engaging in any kind of traditionally malicious activity, they skirt the rules that would otherwise make it easy for Google to justify removing them from the Play Market.

Latest Naked Security podcast


Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.