These camera apps with billions of downloads might be stealing your data and infecting you with malware


Additional reporting by Rimantas Leonavičius.

When you download a beauty camera app, you’re probably expecting it to add a makeup or cartoon filter on your face for more interesting selfies, or just to clean up some lower-quality pictures you took.

But in the background, you’re not expecting these apps to scrape and sell your data, plague you with nonstop, malicious ads, redirect you to phishing websites, or even spy on you.

ADVERTISEMENT

But that’s exactly what some of the top beauty camera apps have been found guilty of doing. Take the #1 beauty camera app, BeautyPlus - Easy Photo Editor & Selfie Camera, with 300 million installs, which was identified as being either malware or spyware. Its developer, Meitu, was suspected of collecting user data in its Chinese servers, and then selling it.

But they’re not the only one. There’s also the app developer iJoysoft, whose apps are connected to malicious adware. Lyrebird Studio, the developer behind Beauty Makeup, Selfie Camera Effects, Photo Editor, was identified by Trend Micro for sending users pornographic content, redirecting them to phishing sites, and collecting their pictures.

Cybernews pro tip

Increase your online security and privacy by sending your data through an encrypted tunnel.

Protect your data with a VPN

3 app developers are also apparently guilty of trying to hide their connection: they seem to be separate developers with separate apps, but we discovered that they are likely run by the same group in China.

I found that one app, Beauty Camera by Phila AppStore, simply went ahead and used my camera, without even asking for camera permission. The app has already been installed half a million times.

These and other apps are still available in the Play store, having been downloaded 1.4 billion times. So what’s the best thing for you to do? Obviously, you don’t need a beauty camera app, so the first thing to do is to delete any suspicious apps from your phone.

Suspicious apps include:

  • Beauty camera apps that are requesting permissions they don’t need
  • Apps from unknown app developers, especially free apps
  • Apps that engage in unethical behavior or show aggressive ads
ADVERTISEMENT

Again – since you don’t really need these apps, it might be best to completely forego these camera apps, or instead use well-known camera and filter apps like Snapchat, Messenger, or Instagram.

Methodology

In order to perform this research, we analyzed the top 30 results that were displayed on Google Play after searching for the keyword “beauty camera.” In checking the trustability of these apps, we analyzed the following:

  • The amount of dangerous permissions they’re asking for
  • The location of the app developers, and the transparency of this location
  • Any history of malware, spyware, vulnerabilities, or unethical practices

Summary of our results

Our results are eye-opening:

  • More than half (16) of these apps are based in Hong Kong or China
  • One app doesn’t ask for permission to use your camera, but turns the camera on anyways – without any permission
  • Three seemingly separate developers seem to be run by the same group, and may be connected to apps previously found to contain a widely-dispersed Trojan
  • The top-ranked app developer Meitu, with more than 300 million installs, had apps identified as malware, violating Google’s ad policies, or secretly collecting data
  • One app developer was found to install malware through its software
  • One app was accused of sending users pornographic content, redirecting them to phishing sites, or collecting their pictures
  • These apps are requesting up to 7 dangerous permissions, 5 on average, most of which are unnecessary for the app to function
  • Unnecessary permissions include recording audio, using GPS, and seeing users’ phone statuses
  • While only a few permissions are required for the app function, one app includes a whopping 40 total permissions

The riskiest camera apps in the Play store

In our investigation into these top beauty camera apps – which have been installed at least 1.39 billion times – we made some interesting discoveries. Let’s look at some of the biggest.

This app used our camera without permission

ADVERTISEMENT

When we initially analyzed these apps to see what kind of permissions they were requesting, we were surprised to find that only 29 out of 30 apps asked for the CAMERA permission: Beauty Camera by Phila AppStore, with 500,000 installs already, didn’t ask for any camera access.

Intrigued, I installed and launched the app in our testing environment to see whether it was a mistake in our analysis, or if the app simply edited already captured images. We were quite surprised by the actual results:

The app used our camera without even asking for the CAMERA permission.

Let’s state the seriousness here: the CAMERA permission is considered a dangerous permission by Google’s Android policy, and absolutely requires users to agree to those permissions. One reader pointed out that this is achieved by using an Intent to launch the default camera app of the phone, have that photo stored to storage, and then using its STORAGE permissions to access the image. While this is possible, it seems suspicious, considering that the app could simply ask for CAMERA permissions and skip the more tedious process.

When we launched the app, we were immediately met with a full-screen ad. Going to the app’s home screen, we were met with two more ads.

Left: full-screen ad right after launching the app; Right: the app’s home screen with more ads

I then clicked on the camera icon to see what happens – since no camera permissions were required at all. And, let me tell you, I was quite surprised by what I saw on my screen:

My surprised face at seeing my own face

ADVERTISEMENT

I was especially surprised since I gave no CAMERA permission at all – and the app lists no camera permission in its settings:

No camera permission listed, and no camera permission given

No camera permissions were given, since none exist

As mentioned, the app accesses the camera when you give it permission to access your storage. We tried to reach out to the app developer to ask their opinion for why they don't just ask for the CAMERA permission, but unfortunately the email address that Phila AppStore lists on their page just doesn’t work anymore:

Phi

One group to rule them all

When looking for the actual location of app developers, we found something interesting:

Three app developers seemed to be from the same group based in China. Even worse, they’re potentially connected to malware previously discovered.

The app developers Coocent, KX Camera Team and Dreams Room are seemingly separate developers with similar app offerings:

Coocent's app offerings
ADVERTISEMENT
KX Camera Team's app offerings
Dreams Room's app offerings

These app offerings are pretty similar: camera apps, music or audio apps, flashlight apps, and weather apps. The icons are also quite similar, but after analyzing 30 apps, I discovered that this seems to be part of the app development process.

However, when we looked at the privacy policies for these three developers, we found that they’re all hosted on the exact same domain:

Coocent privacy policy URL:

KX Camera Team privacy policy URL:

Dreams Room privacy policy URL:

ADVERTISEMENT

The domain hosting these three apps’ privacy policies, aliyuncs.com, is from Alibaba Cloud Computing (Beijing) Co., Ltd.

We can even see the Coocent’s privacy policy extension is named KuXun (a sound similar to Coocent), and which is reflected in KX Camera Team’s name. KX Camera Team has another app, Super-Bright Flashlight, which even has “coocent” as part of its app ID (which is unchangeable after it’s been created):

Coocent in KX Camera Team's app ID

Then there’s Coocent’s non-active Twitter account, which has some important information you can see right from the search results page:

Coocent unactive Twitter account in search

Those Chinese characters at the end – 中华人民共和国 – translate to the “People’s Republic of China”, the formal name for China.

Google Translate - People's Republic of China

Because of all that, we believe that the app developers Coocent, KX Camera Team and Dreams Room are all from the same group and they are based somewhere in China.

There’s also the possibility of not just unethical business practices and hiding their actual location, but that this Coocent-KX-Dreams Room group may also have developed apps previously found to be malicious. A ThinkBig/Empresas article [in Spanish] discusses the Xynyin malware family, whose member apps steal users’ sensitive information, download another hidden app file (apk) and secretly installs it.

Included in this malware family is an app whose app ID contains the name “coocent”:

A reputation for maliciousness

The #1 and #2-ranked beauty camera apps, with combined installs of more than 310 million, are known for having been reported as malware or participating in unethical practices.

The top-ranked BeautyPlus - Easy Photo Editor & Selfie Camera was identified by the Indian government as being malware or spyware. The government alerted all military and paramilitary officials to inform their men to delete the listed apps.

This same app was also discovered to be in violation of Google’s advertising ID policies since they track their users more than is allowed. (Another camera app, B612 – Beauty & Filter Camera, with 100 million installs, was also mentioned in the research.) BleepingComputer mentions that these apps collect:

...persistent device identifiers such as serial numbers, IMEI, WiFi MAC addresses, SIM card serial numbers, and sending them to mobile advertising related domains alongside ad IDs.

The app developer behind BeautyPlus is Meitu (China) Limited, which had been called out before for secretly collecting and selling users’ data to companies for better ad targeting. The developer was also blamed for “already sending your phone's unique identifier (the IMEI) to multiple servers in China.”

Another app developer, Hong Kong-based iJoysoft, has had some of its software connected to malware, either directly or through bundling. Through its YouTube Video Converter software, the VideoConverterHD adware is installed, which can drastically slow down your device’s performance, take over your screen with ads that are hard to close, and possibly inject harmful code in your computer’s registry editor.

Another app developer, Istanbul-based Lyrebird Studio, creator of the camera app Beauty Makeup, Selfie Camera Effects, Photo Editor,was identified in research by Trend Micro to be one of many apps that send users porn, redirect them to malicious phishing sites, or collect their pictures.

Too many dangerous permissions

Most obviously, camera apps will require about two dangerous permissions in order to function: CAMERA (to take pictures) and WRITE_STORAGE (to save your edited images).

What our research discovered, however, is that these apps are requesting an average of 5 dangerous permissions, with one app requesting 7 dangerous permissions.

So what dangerous permissions are they requesting?

  • 1 app wants the ability to scan your contacts list
  • 13 apps want access to your GPS location
  • 10 apps want access to your coarse location (via cell towers and wifi networks)
  • 23 apps want access to your microphone
  • 30 apps want the ability to write files to your device
  • 29 apps want access to your camera
  • 29 apps want the ability to read files on your device

It becomes important then to ask why a beauty camera app needs to record audio, track your GPS location, or go through your contacts list.

What these apps want with all your data

When looking at the past problems these app developers have had with data collection, the answer may become very obvious: money.

App developers can make lots of money by selling all your data to advertisers. Location-sharing agreements between app developers and app brokers – where apps can send your GPS coordinates up to 14,000 times per day – can bring in a lot of revenue. With just 1,000 users, app developers can get $4/month. If they have 1 million active users, they can get $4,000/month.

And that’s from just one broker. If they work with two app brokers with similar payouts, and have at least 10 million active monthly users, they could stand to make $80,000/month. With more dangerous permissions given by the user, they will get more sensitive data, which means they’ll make more money.

And that’s why these apps are free.

The cheaper apps, of course, take the easier route and simply flood their apps with non-stop, full screen ads that will cause their users to delete the apps sooner or later.

Summary

When considering this view of these popular beauty camera apps, it seems important to note the following:

These are non-essential apps that seem to be quite risky. Therefore, we recommend that you practice caution on deciding whether or not to download these apps at all.

Essentially, you have to consider these important points:

  • These apps are non-essential, as they provide no crucial function
  • The top-ranked apps are created by developers with spotty reputations, outright malicious behavior, or using unethical practices
  • There are bigger, more dependable apps out there that have similar features, are more accountable and with a clearer ownership structure, such as Messenger, Snapchat, Instagram, etc.

The full list of the 30 analyzed beauty camera apps are below.

RankingApp nameApp DeveloperInstalls (as of Dec. 2019)
#1BeautyPlus - Easy Photo Editor & Selfie CameraMeitu (China) Limited300,000,000
#2BeautyCamMeitu (China) Limited10,000,000
#3Beauty Camera - Selfie CameraInShot Inc10,000,000
#4Beauty Camera Plus – Sweet Camera ♥ Makeup PhotoFantastic Photo - Beauty Makeup Pro StudioPhotography1,000,000
#5Beauty Camera - Selfie Camera & Photo EditorSweet Selfie Inc.500,000
#6Selfie Camera - Beauty Camera & Photo EditorKX Camera Team10,000,000
#7YouCam Perfect - Best Selfie Camera & Photo EditorPerfect Corp.100,000,000
#8Sweet Snap - Beauty Selfie Camera & Face FilterSweet Chat & Snap Apps100,000,000
#9Sweet Selfie Snap - Sweet Camera, Beauty Cam SnapPro Too Movie Apps Good Develop500,000
#10Beauty Camera - Selfie Camera with Photo EditorCoocent1,000,000
#11Beauty Camera - Best Selfie Camera & Photo EditorKX Camera Team5,000,000
#12B612 - Beauty & Filter CameraSNOW, Inc.500,000,000
#13Face Makeup Camera & Beauty Photo Makeup EditorAlex Joe10,000,000
#14Sweet Selfie - Selfie Camera & Makeup Photo EditorSweet Selfie Inc.100,000,000
#15Selfie camera - Beauty camera & Makeup cameraPhotoArt Inc.1,000,000
#16YouCam Perfect - Best Photo Editor & Selfie CameraPerfect Corp.100,000,000
#17Beauty Camera Makeup Face Selfie, Photo EditorVirgilo Malley1,000,000
#18Selfie Camera - Beauty CameraBest App - Top Droid Team500,000
#19Z Beauty CameraGOMO5,000,000
#20HD Camera Selfie Beauty CameraiJoysoft5,000,000
#21Candy Camera - selfie, beauty camera, photo editorJP Brothers, Inc.100,000,000
#22Makeup Camera-Selfie Beauty Filter Photo EditorPhoto Editor Perfect Corp.1,000,000
#23Beauty Selfie Plus - Sweet Camera Wonder HD CameraSai2D100,000
#24Selfie Camera - Beauty Camera & AR StickersDreams Room1,000,000
#25Pretty Makeup, Beauty Photo Editor & Selfie CameraPhoto Editor Perfect Corp.10,000,000
#26Beauty CameraPhila AppStore500,000
#27Bestie - Camera360 Beauty CamPinGuo Inc.10,000,000
#28Photo Editor - Beauty CameraKX Camera Team100,000
#29Beauty Makeup, Selfie Camera Effects, Photo EditorLyrebird Studio5,000,000
#30Selfie cam - bestie makeup beauty camera & filtersHd wallpapers and backgrounds studio100,000

Total installs: 1,388,300,000

  • Protect yourself against malvertising, install and run a reputable antivirus. Check out our post for the best antivirus coupons: there might be a solid discount available.
  • Encrypt your internet traffic with a good VPN – we have a post covering NordVPN coupon codes that can potentially reduce the price even more.

Our hand-picked digital services for online presence and privacy


ADVERTISEMENT

Comments

Anil Chaudhary
prefix 2 years ago
Thanks for sharing informative article, I really like this post.
Zorden
prefix 4 years ago
Fantastic
RitikSingh
prefix 4 years ago
Nice article 👍👍👍
hmtv
prefix 4 years ago
very good article thanks
Frank
prefix 4 years ago
Thanks for your hard work. Judging by the string of critical responses, your primary audience seems to be people (or bots?) in tech company PR departments. That’s unfortunate. Trust me, there are many, many, many of us who, whether we know it or not, depend on people like you to sort through the byzantine code monkey pandemonium in search of genuine threats to ourselves and our children. Keep it up, please!
Cici
prefix 4 years ago
Hi, Bernard
Thank you for this very useful article. Did you found out if any of these apps stored a copy of the users’ photos on their servers?
Syef Alalmari
prefix 4 years ago
Very Nice Article Thanks for it..
Bob
prefix 4 years ago
Is there a link to the analysis to show the specific concerns with each of the apps in the list?
I have more concerns with something that appears actively malicious or exploitable vs sloppy developers that ask/use more permissions than they really need.
Leslie
prefix 4 years ago
If you look up Perfect Corp.(YouCam Perfect ) you will find the company is located in San Jose, California. True that it didn’t request ANY permissions and yet I was able to record audio and take pictures and video using the app. What’s the deal? Maybe we should be going after Silicon Valley, too…
Leslie
prefix 4 years ago
Also, you should let Aveda know because in November 2019 they started working with Perfect Corp to show potential clients what their hair colors would look like. (https://www.businesswire.com/news/home/20191115005174/en/Perfect-Corp.-Partners-Aveda-First-of-its-Kind-Artificial-Intelligence)

Also, it seems that this article is based on an article that was from indiatimes.com (https://www.indiatimes.com/technology/news/the-government-has-named-42-apps-chinese-spyware-including-big-names-like-truecaller-334785.html) and one company already issued a statement that the accusation was not true so probably others are wrong as well.

Oh, and I looked up the multiple locations for YouCam… 2 locations in California, 1 location in New York, 1 location in Barcelona…
Bernard Meyer
prefix 4 years ago
Hi there – thanks for your comments.

If you look at the table at the bottom of the article, you’ll see that we did include Youcam Perfect in our analysis. However, when we took a deeper look at them, we didn’t find anything that you’re describing. They did ask for CAMERA and STORAGE permissions, so there were no surprises there.

Also, while they may have offices in San Jose, if you look at their LinkedIn (https://www.linkedin.com/company/perfect-corp/about/) you’ll see that they’re actually headquartered in Taiwan (New Taipei City). Nonetheless, I have no problem going after any region, mostly because we’re not “going after” any region here. We were simply analyzing suspicious beauty camera apps. Their locations are of secondary importance here.
Paul
prefix 1 year ago
Please check into Conico, MIPC and Vimtag as they have stolen videos from my security cameras, some were very private and personal! Sickening!
Ivan
prefix 4 years ago
Dude, not to rain on your parade or anything… but you don’t need camera permissions to do that.

That app is using an Intent to launch the default camera of the phone and take the photo. The photo is then stored into the storage and it can be retrieved by the app. That’s why the app needs storage access but no camera access.

That is standard procedure and there is nothing special about it. The app sucks and it is full of ads, yes, but that’s about it.
Bernard Meyer
prefix 4 years ago
Hey, thanks for the info. Updated it based on your comments!
Loona
prefix 4 years ago
I’m sorry but it’s hard to take this seriously when you keep mentioning how recording audio is unnecessary…. You know, it’s a camera app, you take videos with them, videos have audio… This can’t be a real argument. And although unsafe, camera apps also need reading files permissions, to edit the picture… It seems the writer hasn’t used a camera app? Camera and write storage aren’t the only necessary permissions. Location is something I also find useless but even Google’s camera does that, most cameras can ask you for that permission and you can deny it anyway… Is Google’s app also going to be criticized?
Jane
prefix 4 years ago
“It seems the writer hasn’t used a camera app?” I coudn’t agree more on this comment. I wonder how an expert who knows nothing about technology writes an article in an IT News. “Storage access” does not mean that the service provider owns a complete access to individuals’ files and data. It’s a necessary agreement that the camera will able users to save their pictures to their own devices, not that they would send their personal pictures to the data center of the companies they don’t know the name of.

Even some of the application you’ve listed are not even from Chinese companies. If you were intending to make a criticism towards some Chinese IT companies, you should have done a deeper research on that.
Bernard Meyer
prefix 4 years ago
Hi Jane, thanks for reading and your comment. I’m a bit confused though about a few points:

1 – I don’t think I ever made the claim that storage access meant that these camera apps own “complete access to individuals’ files”. In fact, I listed storage as one of the two NECESSARY functions for a camera app to work.
2 – I didn’t mention that all of these apps are in China. In fact, right at the top, under the section Summary of results, I mention the following: “More than half (16) of these apps are based in Hong Kong or China”. Since we looked at 30 apps in total, that means that almost half are not in China or Hong Kong.

So, in total, I’m not really sure what you meant overall with your comment. Can you clarify?
Tombc
prefix 4 years ago
Wow. Mention China or Chinese in your blog post and commenters with questionable English skills and western sounding usernames show up.

Bernard, why are you replying to these users as if they are real people and not Chinese army? That’s very generous of you.
Bernard Meyer
prefix 4 years ago
TombC – I still have hope they’re real people and I’m simply answering their questions or clarifying their issues.

Thanks for commenting.
Bernard Meyer
prefix 4 years ago
Hi Loona – thanks for your comment. What you say is logical, but I didn’t mention that they were unnecessary in absolute terms. I mentioned that they weren’t necessary for their core function. For example, a Scrabble-type game may have a feature where you can add a new picture to your game profile, but I wouldn’t call that camera permission necessary for the game to function. Similarly, a camera app adds filters to your pictures, and that’s its core function. The problem here isn’t any situation in isolation, it’s a combination of events.

With ALL of the data scraping, collection and selling to data brokers going on, would you want that data to be handled by an app with suspicious ownership, potentially from a country known to be surveillance- and data-hungry, as well as authoritarian?

Again, it’s not a simple A = “bad”. It’s A + B + C + … = “can you trust it?” If you do, that’s fine. But other people may not.
Mina
prefix 4 years ago
So basically yet another narrative with no proof to target Chinese companies under the false flag of “China is spying on us”. You’re sabotaging business with accusations. The entire article is only accusation and people who don’t read critically, will misread in meitu selling data while they don’t. I will go ahead and search if you also asked users to delete the Facebook app, who after all had a huge data breach in 2018.
Leave a Reply

Your email address will not be published. Required fields are markedmarked