A number of privacy vault apps on the Google Play Store are doing the opposite of what they advertise.
These apps purport to create encrypted containers on Android devices, giving users a safe place to store sensitive files and private photos. The container protects these files in the event an unauthorized party gains access to the device, whether by hacking it or simply physically taking it.
There’s nothing wrong with that idea, of course; personal encryption software has been doing it on computers for decades now. But malicious actors are leveraging the always-connected nature of Android (and some weaknesses in its permissions system and Play Store listing policies) to use these containers as a remote backdoor; doing everything from wrangling the device into an ad fraud scheme to simply exfiltrating user data and files.
A plague of bogus privacy vault apps
A recent study headed by Cybernews reporter Edvardas Mikalauskas reveals just how common these suspect privacy vault apps are on the Play Store, and the extent of their malicious capabilities.
Mikalauskas names and shames some specific privacy vault apps as prominent examples. One of the most commonly used is Security Master, which had over 500 million installs before being removed from the Play Store. This app also claimed to provide a VPN and antivirus protection. It may be doing all of those things to some extent, but it is also logging and exfiltrating a variety of private user web browsing data (such as search engine queries and URLs visited) as well as harnessing devices for fake clicks as part of an ad fraud scheme. Google has since removed the app from the Play Store.
Another app called “Vault – Hide Pics & Videos, App Lock, Free Backup” was found to be exfiltrating personal data such as phone numbers, IMEIs and lists of apps on the device. While the clumsy name might initially make one think that this app couldn’t possibly be in widespread use, it has actually been downloaded 50 million times. The developer, cxzh.ltd, has found great success in staying on the Play Store by simply changing one or two elements of this word salad and re-uploading the app every time it gets flagged.
An app called “Video Hider – Privacy Lock” has the disturbing ability to access and activate the camera without permissions or notification, and uses this ability to snap a picture of the user whenever there is an unsuccessful attempt to unlock the device. And at least one app caught in this dragnet (Applock – Fingerprint Password) is from a developer who previously had a PayPal credential theft trojan present in another app.
The methodology of the study makes it clear how widespread these shady privacy vault apps are; the researchers analyzed the top 30 results on the Play Store when searching for a “privacy app.” 18 of these apps were based in China or Hong Kong, and on average they ask for four permissions that the app does not need to function – the biggest offender asked for 14 unnecessary permissions. These included the ability to initiate phone calls, record audio and read the user’s GPS location and body sensors. And as was seen with the Video Hider app, sometimes they are able to access sensitive components of the device without a permission notification.
While most of the developers of these privacy vault apps are not committing outright theft or passing malware, they are making plenty of money by skimming and selling off sensitive personal data that most users would rather not share.
Avoid being trapped by a privacy vault app
Much of the advice that Cybernews provides for avoiding Android privacy vault apps applies more broadly to selecting software, apps, browser extensions, website plugins and add-ons of all types.
The first suggestion is to compare the permission requests to what the app needs to do. If it simply needs to move files to an encrypted folder, it shouldn’t be asking to access the microphone or camera. You’ll generally be prompted to grant permissions when you install the app, but you can also check up on existing permissions at any time by clicking on “About This App” in the app description.
Apps should also be looked at with heightened suspicion if they are free (as some sort of data skimming is the usual monetization system in this case), or if they are from a developer that doesn’t have an established public reputation.
Cybernews cautions specifically about apps with privacy policies that redirect to a Google Docs link or a Blogspot page, and those that are strangely short or are written in broken English.
An average of four unnecessary permissions were asked by #privacy vault apps to function. #respectdata Click to Tweet
Recent research shows that the Google Play Store’s problems are not limited to privacy vault apps. In recent months the platform has been beset by all sorts of malware that has managed to slip by Google’s security, leading to millions of device infections in 2020 alone. The most common purpose is to rope the device into an ad fraud scheme, which can be difficult for the end user to detect but can suddenly cause the device to use excessive bandwidth, quickly chew through battery power or run hot. There is also still no end of money to be made in leaking sensitive data to advertisers.