Pierluigi Paganini February 04, 2019

Researchers at Trend Micro discovered at least 29 malicious photo editing and beauty apps that were able to perform several malicious activities.

Crooks continue to abuse Google Play store to distribute malicious apps, this time experts at Trend Micro discovered at least 29 malicious
photo editing and beauty apps that were stealing users’ photos.

The malicious apps in the Google Play Store have been downloaded more than 4 million times before they were removed.

The photo editing and beauty apps were including a code that could perform a broad range of malicious activities.

Experts estimated that 3 of the tainted applications (Pro Camera Beauty, Cartoon Art Photo, Emoji Camera) have been downloaded more than a million times. The Artistic Effect Filter was downloaded over 500,000 times and other seven rogue apps were installed over 100,000 times.

“We discovered several beauty camera apps (detected as AndroidOS_BadCamera.HRX) on Google Play that are capable of accessing remote ad configuration servers that can be used for malicious purposes.” reads the analysis published by Trend Micro.

“Some of these have already been downloaded millions of times, which is unsurprising given the popularity of these kinds of apps.”

When an Android user will download one of the malicious apps he will not immediately sees any suspicious behavior.

Once installed, some of these apps would redirect users to phishing websites others would push full-screen advertisements on the infected device for fraudulent or pornographic content every time the victims will unlock the device.

Some of the beauty apps were including a malicious code that uploads user’s photos to a remote server controlled by the author.

However, instead of displaying an edited photo, the apps display a picture with a fake update prompt in nine different languages.

“However, instead of getting a final result with the edited photo, the user gets a picture with a fake update prompt in nine different languages.” continues the analysis.

“The authors can collect the photos uploaded in the app, and possibly use them for malicious purposes — for example as fake profile pics in social media.”

Some of the beauty apps use packers to prevent them from being analyzed by security firms, they also hide the app icon from the list of installed applications to make it more difficult for users to uninstall them.

TrendMicro reported the list of malicious apps to Google that quickly removed them from the Play Store.

Experts recommend downloading mobile apps only from the official store and that were developed by known and trusted authors. Users can also check reviews for the apps and never install applications for which were reported anomalous behaviors.

Additional info, including Indicators of Compromise (IoCs) are reported in the post published by Trend Micro.

Pierluigi Paganini

(Security Affairs – beauty apps, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]