These camera apps with billions of downloads might be stealing your data and infecting you with malware
Additional reporting by Rimantas Leonavičius.
When you download a beauty camera app, you’re probably expecting it to add a makeup or cartoon filter on your face for more interesting selfies, or just to clean up some lower-quality pictures you took.
But in the background, you’re not expecting these apps to scrape and sell your data, plague you with nonstop, malicious ads, redirect you to phishing websites, or even spy on you.
But that’s exactly what some of the top beauty camera apps have been found guilty of doing. Take the #1 beauty camera app, BeautyPlus - Easy Photo Editor & Selfie Camera, with 300 million installs, which was identified as being either malware or spyware. Its developer, Meitu, was suspected of collecting user data in its Chinese servers, and then selling it.
But they’re not the only one. There’s also the app developer iJoysoft, whose apps are connected to malicious adware. Lyrebird Studio, the developer behind Beauty Makeup, Selfie Camera Effects, Photo Editor, was identified by Trend Micro for sending users pornographic content, redirecting them to phishing sites, and collecting their pictures.
Increase your online security and privacy by sending your data through an encrypted tunnel.
Protect your data with a VPN3 app developers are also apparently guilty of trying to hide their connection: they seem to be separate developers with separate apps, but we discovered that they are likely run by the same group in China.
I found that one app, Beauty Camera by Phila AppStore, simply went ahead and used my camera, without even asking for camera permission. The app has already been installed half a million times.
These and other apps are still available in the Play store, having been downloaded 1.4 billion times. So what’s the best thing for you to do? Obviously, you don’t need a beauty camera app, so the first thing to do is to delete any suspicious apps from your phone.
Suspicious apps include:
- Beauty camera apps that are requesting permissions they don’t need
- Apps from unknown app developers, especially free apps
- Apps that engage in unethical behavior or show aggressive ads
Again – since you don’t really need these apps, it might be best to completely forego these camera apps, or instead use well-known camera and filter apps like Snapchat, Messenger, or Instagram.
Methodology
In order to perform this research, we analyzed the top 30 results that were displayed on Google Play after searching for the keyword “beauty camera.” In checking the trustability of these apps, we analyzed the following:
- The amount of dangerous permissions they’re asking for
- The location of the app developers, and the transparency of this location
- Any history of malware, spyware, vulnerabilities, or unethical practices
Summary of our results
Our results are eye-opening:
- More than half (16) of these apps are based in Hong Kong or China
- One app doesn’t ask for permission to use your camera, but turns the camera on anyways – without any permission
- Three seemingly separate developers seem to be run by the same group, and may be connected to apps previously found to contain a widely-dispersed Trojan
- The top-ranked app developer Meitu, with more than 300 million installs, had apps identified as malware, violating Google’s ad policies, or secretly collecting data
- One app developer was found to install malware through its software
- One app was accused of sending users pornographic content, redirecting them to phishing sites, or collecting their pictures
- These apps are requesting up to 7 dangerous permissions, 5 on average, most of which are unnecessary for the app to function
- Unnecessary permissions include recording audio, using GPS, and seeing users’ phone statuses
- While only a few permissions are required for the app function, one app includes a whopping 40 total permissions
The riskiest camera apps in the Play store
In our investigation into these top beauty camera apps – which have been installed at least 1.39 billion times – we made some interesting discoveries. Let’s look at some of the biggest.
This app used our camera without permission
When we initially analyzed these apps to see what kind of permissions they were requesting, we were surprised to find that only 29 out of 30 apps asked for the CAMERA permission: Beauty Camera by Phila AppStore, with 500,000 installs already, didn’t ask for any camera access.
Intrigued, I installed and launched the app in our testing environment to see whether it was a mistake in our analysis, or if the app simply edited already captured images. We were quite surprised by the actual results:
The app used our camera without even asking for the CAMERA permission.
Let’s state the seriousness here: the CAMERA permission is considered a dangerous permission by Google’s Android policy, and absolutely requires users to agree to those permissions. One reader pointed out that this is achieved by using an Intent to launch the default camera app of the phone, have that photo stored to storage, and then using its STORAGE permissions to access the image. While this is possible, it seems suspicious, considering that the app could simply ask for CAMERA permissions and skip the more tedious process.
When we launched the app, we were immediately met with a full-screen ad. Going to the app’s home screen, we were met with two more ads.
Left: full-screen ad right after launching the app; Right: the app’s home screen with more ads
I then clicked on the camera icon to see what happens – since no camera permissions were required at all. And, let me tell you, I was quite surprised by what I saw on my screen:
My surprised face at seeing my own face
I was especially surprised since I gave no CAMERA permission at all – and the app lists no camera permission in its settings:
No camera permission listed, and no camera permission given
As mentioned, the app accesses the camera when you give it permission to access your storage. We tried to reach out to the app developer to ask their opinion for why they don't just ask for the CAMERA permission, but unfortunately the email address that Phila AppStore lists on their page just doesn’t work anymore:
One group to rule them all
When looking for the actual location of app developers, we found something interesting:
Three app developers seemed to be from the same group based in China. Even worse, they’re potentially connected to malware previously discovered.
The app developers Coocent, KX Camera Team and Dreams Room are seemingly separate developers with similar app offerings:
These app offerings are pretty similar: camera apps, music or audio apps, flashlight apps, and weather apps. The icons are also quite similar, but after analyzing 30 apps, I discovered that this seems to be part of the app development process.
However, when we looked at the privacy policies for these three developers, we found that they’re all hosted on the exact same domain:
Coocent privacy policy URL:
KX Camera Team privacy policy URL:
Dreams Room privacy policy URL:
The domain hosting these three apps’ privacy policies, aliyuncs.com, is from Alibaba Cloud Computing (Beijing) Co., Ltd.
We can even see the Coocent’s privacy policy extension is named KuXun (a sound similar to Coocent), and which is reflected in KX Camera Team’s name. KX Camera Team has another app, Super-Bright Flashlight, which even has “coocent” as part of its app ID (which is unchangeable after it’s been created):
Then there’s Coocent’s non-active Twitter account, which has some important information you can see right from the search results page:
Those Chinese characters at the end – 中华人民共和国 – translate to the “People’s Republic of China”, the formal name for China.
Because of all that, we believe that the app developers Coocent, KX Camera Team and Dreams Room are all from the same group and they are based somewhere in China.
There’s also the possibility of not just unethical business practices and hiding their actual location, but that this Coocent-KX-Dreams Room group may also have developed apps previously found to be malicious. A ThinkBig/Empresas article [in Spanish] discusses the Xynyin malware family, whose member apps steal users’ sensitive information, download another hidden app file (apk) and secretly installs it.
Included in this malware family is an app whose app ID contains the name “coocent”:
A reputation for maliciousness
The #1 and #2-ranked beauty camera apps, with combined installs of more than 310 million, are known for having been reported as malware or participating in unethical practices.
The top-ranked BeautyPlus - Easy Photo Editor & Selfie Camera was identified by the Indian government as being malware or spyware. The government alerted all military and paramilitary officials to inform their men to delete the listed apps.
This same app was also discovered to be in violation of Google’s advertising ID policies since they track their users more than is allowed. (Another camera app, B612 – Beauty & Filter Camera, with 100 million installs, was also mentioned in the research.) BleepingComputer mentions that these apps collect:
...persistent device identifiers such as serial numbers, IMEI, WiFi MAC addresses, SIM card serial numbers, and sending them to mobile advertising related domains alongside ad IDs.
The app developer behind BeautyPlus is Meitu (China) Limited, which had been called out before for secretly collecting and selling users’ data to companies for better ad targeting. The developer was also blamed for “already sending your phone's unique identifier (the IMEI) to multiple servers in China.”
Another app developer, Hong Kong-based iJoysoft, has had some of its software connected to malware, either directly or through bundling. Through its YouTube Video Converter software, the VideoConverterHD adware is installed, which can drastically slow down your device’s performance, take over your screen with ads that are hard to close, and possibly inject harmful code in your computer’s registry editor.
Another app developer, Istanbul-based Lyrebird Studio, creator of the camera app Beauty Makeup, Selfie Camera Effects, Photo Editor,was identified in research by Trend Micro to be one of many apps that send users porn, redirect them to malicious phishing sites, or collect their pictures.
Too many dangerous permissions
Most obviously, camera apps will require about two dangerous permissions in order to function: CAMERA (to take pictures) and WRITE_STORAGE (to save your edited images).
What our research discovered, however, is that these apps are requesting an average of 5 dangerous permissions, with one app requesting 7 dangerous permissions.
So what dangerous permissions are they requesting?
- 1 app wants the ability to scan your contacts list
- 13 apps want access to your GPS location
- 10 apps want access to your coarse location (via cell towers and wifi networks)
- 23 apps want access to your microphone
- 30 apps want the ability to write files to your device
- 29 apps want access to your camera
- 29 apps want the ability to read files on your device
It becomes important then to ask why a beauty camera app needs to record audio, track your GPS location, or go through your contacts list.
What these apps want with all your data
When looking at the past problems these app developers have had with data collection, the answer may become very obvious: money.
App developers can make lots of money by selling all your data to advertisers. Location-sharing agreements between app developers and app brokers – where apps can send your GPS coordinates up to 14,000 times per day – can bring in a lot of revenue. With just 1,000 users, app developers can get $4/month. If they have 1 million active users, they can get $4,000/month.
And that’s from just one broker. If they work with two app brokers with similar payouts, and have at least 10 million active monthly users, they could stand to make $80,000/month. With more dangerous permissions given by the user, they will get more sensitive data, which means they’ll make more money.
And that’s why these apps are free.
The cheaper apps, of course, take the easier route and simply flood their apps with non-stop, full screen ads that will cause their users to delete the apps sooner or later.
Summary
When considering this view of these popular beauty camera apps, it seems important to note the following:
These are non-essential apps that seem to be quite risky. Therefore, we recommend that you practice caution on deciding whether or not to download these apps at all.
Essentially, you have to consider these important points:
- These apps are non-essential, as they provide no crucial function
- The top-ranked apps are created by developers with spotty reputations, outright malicious behavior, or using unethical practices
- There are bigger, more dependable apps out there that have similar features, are more accountable and with a clearer ownership structure, such as Messenger, Snapchat, Instagram, etc.
The full list of the 30 analyzed beauty camera apps are below.
Ranking | App name | App Developer | Installs (as of Dec. 2019) |
#1 | BeautyPlus - Easy Photo Editor & Selfie Camera | Meitu (China) Limited | 300,000,000 |
#2 | BeautyCam | Meitu (China) Limited | 10,000,000 |
#3 | Beauty Camera - Selfie Camera | InShot Inc | 10,000,000 |
#4 | Beauty Camera Plus – Sweet Camera ♥ Makeup Photo | Fantastic Photo - Beauty Makeup Pro StudioPhotography | 1,000,000 |
#5 | Beauty Camera - Selfie Camera & Photo Editor | Sweet Selfie Inc. | 500,000 |
#6 | Selfie Camera - Beauty Camera & Photo Editor | KX Camera Team | 10,000,000 |
#7 | YouCam Perfect - Best Selfie Camera & Photo Editor | Perfect Corp. | 100,000,000 |
#8 | Sweet Snap - Beauty Selfie Camera & Face Filter | Sweet Chat & Snap Apps | 100,000,000 |
#9 | Sweet Selfie Snap - Sweet Camera, Beauty Cam Snap | Pro Too Movie Apps Good Develop | 500,000 |
#10 | Beauty Camera - Selfie Camera with Photo Editor | Coocent | 1,000,000 |
#11 | Beauty Camera - Best Selfie Camera & Photo Editor | KX Camera Team | 5,000,000 |
#12 | B612 - Beauty & Filter Camera | SNOW, Inc. | 500,000,000 |
#13 | Face Makeup Camera & Beauty Photo Makeup Editor | Alex Joe | 10,000,000 |
#14 | Sweet Selfie - Selfie Camera & Makeup Photo Editor | Sweet Selfie Inc. | 100,000,000 |
#15 | Selfie camera - Beauty camera & Makeup camera | PhotoArt Inc. | 1,000,000 |
#16 | YouCam Perfect - Best Photo Editor & Selfie Camera | Perfect Corp. | 100,000,000 |
#17 | Beauty Camera Makeup Face Selfie, Photo Editor | Virgilo Malley | 1,000,000 |
#18 | Selfie Camera - Beauty Camera | Best App - Top Droid Team | 500,000 |
#19 | Z Beauty Camera | GOMO | 5,000,000 |
#20 | HD Camera Selfie Beauty Camera | iJoysoft | 5,000,000 |
#21 | Candy Camera - selfie, beauty camera, photo editor | JP Brothers, Inc. | 100,000,000 |
#22 | Makeup Camera-Selfie Beauty Filter Photo Editor | Photo Editor Perfect Corp. | 1,000,000 |
#23 | Beauty Selfie Plus - Sweet Camera Wonder HD Camera | Sai2D | 100,000 |
#24 | Selfie Camera - Beauty Camera & AR Stickers | Dreams Room | 1,000,000 |
#25 | Pretty Makeup, Beauty Photo Editor & Selfie Camera | Photo Editor Perfect Corp. | 10,000,000 |
#26 | Beauty Camera | Phila AppStore | 500,000 |
#27 | Bestie - Camera360 Beauty Cam | PinGuo Inc. | 10,000,000 |
#28 | Photo Editor - Beauty Camera | KX Camera Team | 100,000 |
#29 | Beauty Makeup, Selfie Camera Effects, Photo Editor | Lyrebird Studio | 5,000,000 |
#30 | Selfie cam - bestie makeup beauty camera & filters | Hd wallpapers and backgrounds studio | 100,000 |
Total installs: 1,388,300,000
- Protect yourself against malvertising, install and run a reputable antivirus. Check out our post for the best antivirus coupons: there might be a solid discount available.
- Encrypt your internet traffic with a good VPN – we have a post covering NordVPN coupon codes that can potentially reduce the price even more.
Comments
Thank you for this very useful article. Did you found out if any of these apps stored a copy of the users’ photos on their servers?
I have more concerns with something that appears actively malicious or exploitable vs sloppy developers that ask/use more permissions than they really need.
Also, it seems that this article is based on an article that was from indiatimes.com (https://www.indiatimes.com/technology/news/the-government-has-named-42-apps-chinese-spyware-including-big-names-like-truecaller-334785.html) and one company already issued a statement that the accusation was not true so probably others are wrong as well.
Oh, and I looked up the multiple locations for YouCam… 2 locations in California, 1 location in New York, 1 location in Barcelona…
If you look at the table at the bottom of the article, you’ll see that we did include Youcam Perfect in our analysis. However, when we took a deeper look at them, we didn’t find anything that you’re describing. They did ask for CAMERA and STORAGE permissions, so there were no surprises there.
Also, while they may have offices in San Jose, if you look at their LinkedIn (https://www.linkedin.com/company/perfect-corp/about/) you’ll see that they’re actually headquartered in Taiwan (New Taipei City). Nonetheless, I have no problem going after any region, mostly because we’re not “going after” any region here. We were simply analyzing suspicious beauty camera apps. Their locations are of secondary importance here.
That app is using an Intent to launch the default camera of the phone and take the photo. The photo is then stored into the storage and it can be retrieved by the app. That’s why the app needs storage access but no camera access.
That is standard procedure and there is nothing special about it. The app sucks and it is full of ads, yes, but that’s about it.
Even some of the application you’ve listed are not even from Chinese companies. If you were intending to make a criticism towards some Chinese IT companies, you should have done a deeper research on that.
1 – I don’t think I ever made the claim that storage access meant that these camera apps own “complete access to individuals’ files”. In fact, I listed storage as one of the two NECESSARY functions for a camera app to work.
2 – I didn’t mention that all of these apps are in China. In fact, right at the top, under the section Summary of results, I mention the following: “More than half (16) of these apps are based in Hong Kong or China”. Since we looked at 30 apps in total, that means that almost half are not in China or Hong Kong.
So, in total, I’m not really sure what you meant overall with your comment. Can you clarify?
Bernard, why are you replying to these users as if they are real people and not Chinese army? That’s very generous of you.
Thanks for commenting.
With ALL of the data scraping, collection and selling to data brokers going on, would you want that data to be handled by an app with suspicious ownership, potentially from a country known to be surveillance- and data-hungry, as well as authoritarian?
Again, it’s not a simple A = “bad”. It’s A + B + C + … = “can you trust it?” If you do, that’s fine. But other people may not.
Your email address will not be published. Required fields are markedmarked