Android users: got a mobile app named Weather Forecast?
If so, you should squash it like a bug. Google’s Play Store has already swatted it, along with 23 other vermin apps, all of which have cumulatively been downloaded more than 382 million times.
Their commonalities: they all come from a Chinese parent company that’s tucked behind a handful of app developers, and they all have a penchant to ask for ‘dangerous’ permissions, harvest data and send it back to Chinese servers, sneakily launch browser windows and click on ads, and/or sign you up for pricey premium phone numbers.
Researchers from VPN Pro recently discovered the bad apps when looking into the dangerous permissions that popular free antivirus apps request.
Such apps are called rogueware. As Sophos’s Roland Yu has explained in this whitepaper, the term describes apps that pretend to detect and fix problems… while also trying to convince you to pay money or even to add more malware. They ask for permission to upload files to your system – a permission that can lead to an app adding malware to your device that, insult added to injury, you’ll have to pay to remove.
VPN Pro Researcher Jan Youngren said in a blog post on Monday that when his team analyzed 23 companies behind 100+ VPN products, a developer called Hi Security with three VPN products under its name popped up. As the researchers kept digging into the excessive, unnecessary, dangerous permissions these apps ask for, the name Hi Security popped up again.
VPN Pro found that Hi Security was just the tip of the iceberg. It turns out that, tucked away behind the app developer Hi Security, is its owner: a Chinese company called Shenzhen HAWK that has yet another four app developers. Shenzhen HAWK is behind the two dozen apps on VPN Pro’s list of apps to steer clear of, some of which are known for containing malware and rogueware.
Youngren said that the Weather Forecast app is infected with malware: during testing, it was seen harvesting users’ data and sending it to a server in China; subscribing users to premium phone numbers, leading to stiff charges on their phone bills; launching hidden browser windows; and clicking on ads.
These apps have been around for years. Youngren cited another case of one of Hi Security’s bad apps, Virus Cleaner. In 2017, the Indian government told its military to delete the app after it was identified as being spyware or other malware.
Then, in 2018, default apps on Alcatel phones – as in, apps that were foisted on users and weren’t downloaded out of their own, free will – were updated to spew adware. The source of the new, adware-gushing default apps? They too were developed by Shenzhen HAWK.
Named and shamed
After Google got a heads-up from a Forbes writer on Tuesday, it yanked all of the 24 apps in the Shenzhen network from the Play store. These are the apps that it removed:
- HI VPN, Free VPN
- Soccer Pinball
- Dig It
- Laser Break
- Word Crush
- Music Roam
- Word Crossy!
- Puzzle Box
- World Zoo
- Private Browser
- Calendar Lite
- Turbo Browser
- Joy Launcher
- Virus Cleaner 2019
- Super Cleaner
- Hi Security 2019
- Candy Selfie Camera
- Super Battery
- Candy Gallery
- Hi VPN Pro
- Net Master
- filemanager
- Sound Recorder
- Weather Forecast
Google had this to say about reports of the apps’ security and privacy violations:
If we find behavior that violates our policies, we take action.
Well, it’s certainly had practice at that.
Examples include that time in September 2019, when we heard about fleeceware in the Play Store that was automatically charging up to $250 to continue using it beyond its three-day trial period.
As we’ve noted before when covering rogue apps in Play Store, Google often doesn’t seem to notice the problem at all until researchers report the apps for malicious or exploitative behavior.
Unfortunately, bad apps often fall through the automatic screening in the app stores if they themselves don’t flagrantly pull malicious stunts but instead pave the way for a device’s compromise, as pointed out by SophosLabs malware analyst Jagadeesh Chandraiah:
Because the apps themselves aren’t engaging in any kind of traditionally malicious activity, they skirt the rules that would otherwise make it easy for Google to justify removing them from the Play Market.
Latest Naked Security podcast
LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.
Mahhn
It’s a good thing they push updates to disable the malware and also notify people right away (with the email you use to log into the playstore with) so we don’t keep getting taken advantage of by the malware goog indicated was safe initially.
Just kidding, they don’t do any of that.
This is why we don’t allow Android in our work environment, not even to access company Email.
Andy Hartwell
Mahhn, Are you equally controlling about access to company E-mail from other platforms that are susceptible to Malware ? I’m thinking Windows (the target of most malware), Macs, Linux and Jailbroken iOS devices ? Your company does not allow even browser based access from external devices ? I’m not saying its wrong to lock down that tightly but it’s either expensive (issuing each employee with a corporately supplied and managed device) or extremely restrictive. I’m not come across any commercial business that harshly restricted in years !!
Mahhn
Yes, and all our Email is filtered by 2 AV tools, heavy restrictions on attachments in and out. Company devices only for Email. The only External devices our company allows are company owned and managed, with very strict rules over the VPN. It’s not that expensive. With all the breaches going on, our bank does the best it can to prevent opportunity for scum, and they try all day every day, knocking on firewalls, sending malicious trash, dropping thumb drives in the parking lot. Our staff is fantastic about reporting suspect phishing Emails and such. We are far from alone is our methods, as I attend several conferences yearly and am part of multiple groups of similar financial orgs. I expect your bank does the same. I hope so for you. I could go on for hours, but we are far from alone in this, and I do know other places that only allow “text” emails, no images at all. That’s a bit over kill for us. I’ve worked at a government building under contract years ago, their security was,,, there were multiple buildings that if you walked in with your phone, a CD, or thumb drive, it does NOT leave with you, it gets destroyed. If you are protecting billions in other peoples money, or lives, you do the best you can. On the nice side, we have a public wifi for people to use their phones on, as well as break room PCs that only block porn and gambling lol. Our people are our best defense no matter the tools.
Anonymous
My phone is still showing for me to change my home launcher setting to weather forecast.. …joy launcher to set in home launcher.. Super Clean too ..keep telling me I have junk mail to super clean it… Constantly doing this….