Update May 22: Updated to include the results of analysis of 2NAD apps by mobile security firm Pradeo.
Update April 22: Google has finally removed all but 1 of these 2NAD apps from the Play store. The only app remaining from this network is Video Editor, Video Maker With Music Photos & Text, which previously was published by the developer Jacinto Macias, but now has been changed to a new developer, Alla Morning. However, if you have any of these apps (listed at the end of the article) on your phone, you should delete them immediately.
Our new research discovered that there’s a secret group of at least 27 app developers, with 101 apps in total for a combined 69 million installs, that seem to be connected, apparently copying each others’ apps, stealing apps from popular developers, and committing other fraud.
There’s much about this strange network that is unknown. Because they seem to share what’s become our initial connection – their app developer names consist of two parts, mostly Western names – we’ve termed this group as a two-name app developer network, or 2NAD for short.
Besides the names, we’ve discovered that:
- These apps are asking for an immense amount of dangerous permissions that unnecessarily put users’ risk in danger
- The websites listed for each app are all based on the same incomplete Firebase “website,” all with the same URL structure. The link to the website is a shortened bit.ly link
- When we looked at the APKs, there were obvious duplicates between the 2NAD network
- Some APKs were clearly stolen from other, more popular app developers outside the 2NAD network
- When comparing these duplicate or stolen apps side-by-side, the duplication becomes easy to see
Below, we go through each connection with detailed proofs. In general, however, there’s a huge problem with this 2NAD network. First of all, duplicating each others’ apps, or stealing other developers’ apps, is most likely against Google’s Android policies.
Additionally, these apps are also violating other Android policies, which include
- Misrepresentation, since they mislead their users and participate in a “coordinated activity to mislead users” by not notifying the users that they are probably part of the same network
- Repetitive Content, which doesn’t allow apps that have highly similar (in our research, nearly 100% similar) functions, content and user experience
- Made for Ads policy, which doesn’t allow apps whose primary purpose seem to be just to serve ads
Beyond that, it is bad for the user, since cloned/stolen apps may, in the best case scenario, provide users with a poor user experience, especially when it’s flooded with ads. In the worst case scenario, these apps can later become vehicles for malicious purposes, including stolen data or other malware.
For that reason, we recommend deleting any of the 101 apps found within the 2NAD network (we list all the 101 apps and 27 app developers at the end of the article).
About this research
In order to carry out this research, we looked at suspicious apps that met our first connection – the app developers having two names. After that, we filtered apps based on whether they share one of the other connections mentioned above. The initial data was gathered in January 2020. Since that time, some app names may have changed, and apps may have been removed from the Play store for various reasons.
High amount of dangerous permissions
Below, we’ll look at the proofs related to the connections of these 2NAD developers. However, these apps are asking for a huge amount of dangerous permissions that, if abused, can lead to stolen data and other serious breaches of user privacy.
In order to concisely analyze the types of permissions requested, we looked only at those apps that have at least 10,000 installs, which totalled 58 apps.
So what are the most requested permissions here?
|Permission name||No. requested|
As you can see, the most requested dangerous permissions are related to reading and writing storage, which can already pose some privacy and security problems. That’s because those permissions allow apps the ability to scan all your files — including your images, videos, documents, and more — as well as save any files to your device.
However, only by looking at the permissions by app can you get the full picture of the privacy and security risks here. Let’s take some examples:
- A call recorder app that wants permission to take pictures and record video
- A calculator app that asks for permission to your camera and your phone state, which allows them to see your cellular network information, phone accounts, and status of calls
- A dual account app that wants to access your GPS, your camera, your microphone, body sensors, your calendar, to see and edit your contacts, to see and edit your files, check your phone status, and much more
- A photo editor that wants to record audio
- A memory booster that wants your exact location
- A phone cooler that wants to see and edit your files, get your location and read your phone status
These bizarre permissions have nothing to do with the core function of the app. So why are these apps requesting them?
Optimistically, they just want to make as much money from you as possible.
As mentioned before in our research on dangerous beauty camera apps, app developers can make a hefty amount of money by selling your data to advertisers directly, or indirectly to data brokers. One data broker pays developers about $4/month for just 1,000 active users, which can come up to $8,000/month if they have even 1 million active users. (The total installs for the 2NAD network is almost 70 million, by the way, which can give the network a revenue of $10,000-$976,000 per month.)
Pessimistically, these apps could be stealing your data or enabling malicious content to enter your device. This is compounded by the fact that these apps are hiding their connection and operating from an unknown source.
One worst case scenario is that apps can launch ransomware once users have granted them the necessary permissions, make secret phone calls, or sell user data on the black market. They could even be harvesting user data and collecting them in secret servers.
In general, because these apps are already participating in risky behaviors that potentially violate Google’s Android policies, it’s best that users delete these apps immediately to mitigate all risks.
Proof #1 Each developer has a two-part name
The major reason that we’ve gotten to calling this network the 2NAD network is because each of these developers has two names as their developer name – seemingly a first name and last name.
While this by itself is not suspicious, it’s the first thing that caught my eye while I was looking through apps on the Play store. While the app names seem Western, the actual apps seem to be made for an Asian audience, such as makeup apps, Asian-inspired filters and the promotional materials for these apps.
Here’s a sample of these app developer names:
- Alex Joe (10 million installs)
- Virgilo Malley (7 million installs)
- Arrow Frankie (6 million installs)
- Armel Bilton (6 million installs)
- Daniel Malley (1.3 million installs)
- Hudson Parker (3 million installs)
- Noble Gracious (2 million installs)
(Of the 27 2NAD developers, only two names do not fit this pattern: ProCam – HD Camera and Fruit VPN – Better Connect.)
These names seem to have been created by an online name generator.
Proof #2 The same Privacy Policies with slight name changes
The second big red flag, which became our first filter, was the fact that the Privacy Policies for 2NAD apps were all bit.ly links leading to the same published Google Doc.
The only difference between these Privacy Policies was the name of the listed app developer.
Proof #3 The same URL structure for these apps’ “websites”
The URL structure is invariably: [app-name].web.app.
These “websites” are also not finished, all with the same message: “You’re seeing this because you’ve successfully setup Firebase Hosting. Now it’s time to go build something extraordinary!”
Proof #4 Stolen apps visible when comparing app UI
Some of these 2NAD apps seem to have explicitly and unashamedly cloned entire apps from other popular app developers. To be “unique,” they’ve simply changed certain colors and button styles.
However, the UI and functions are pretty much the same. For example, while looking through the APK for Daniel Malley’s Glitch Effect Video, Photo Editor Grainy Effect, I came across the email address “[email protected]”.
While we initially expected some readme text from github libraries, this email address actually belonged to a competing and very popular app developer called InShot Inc. When I looked through that developer’s apps, I noticed a similar app that provided glitch effects for videos. I installed both and compared them visually.
As you can see, these apps are exactly the same. The only difference is that the 2NAD app is flooded with ads, including interstitials after nearly every user interaction.
In a second case, I found another developer’s email address in Virgilo Malley’s Video Converter To MP3 Music & Audio MP3 Cutter:
This email address is connected to the app developer VideoMaster Tools. They have a similar video converter app, so I downloaded that one to compare the two apps.
On the left is the duplicate (cloned) app Video Converter To MP3 Music & Audio MP3 Cutter from the 2NAD developer Virgilo Malley. On the right, we have what we assume to be the authentic, non-2NAD Mp4 to Mp3 – Convert Video to Audio, Cut Ringtones from VideoMaster Tools:
The only things they changed were the colors and the placement of the ads.
Proof #5 Duplicate apps visible when analyzing APK files
To back up our visual comparison findings, I decided to look through the APK files to see if there were any similarities on the technical level. Firstly, I discovered that the app names in the Play store are different than the app names once installed on the device.
When looking at those, I discovered the first similarities, with three apps from the 2NAD developers Hudson Parker, ProCam – HD Camera, and Armel Bilton:
When I placed these apps’ APK files side-by-side, I saw that the similarities didn’t stop there:
I discovered the same with call recorder apps from 2NAD developers Lukas Podolskies and Arrow Frankie.
Again, as you can see, their APKs matched:
Proof #6 Duplicate apps visible when comparing app UI
Lastly, we have a number of apps for which we can’t seem to find the original app developer, as we could in Proof #4. Instead, we have what appears to be a master template, of which many versions are created for different developers in the 2NAD network.
Here are some examples:
App Locker Fingerprint & Password, Gallery Locker by Kylian Mbapee (5 million installs) compared to App Locker With Password Fingerprint, Lock Gallery by Jacinto Macias (1 million installs):
Here, the apps are pretty much the same, except for slightly different colors and different icons.
Another matchup: Face Makeup Camera & Beauty Photo Makeup Editor by Alex Joe (10 million installs) compared to Nucie Cam: Beauty Selfie Camera With Photo Editor by Rusty Mari (500,000 installs):
The three “video slide show” apps from the developers mentioned above in Proof #5 showed the same results.
Also, nearly every app in this 2NAD network has the same initial screen:
When you have these kinds of connections slapping you in the face, it’s hard to ignore them.
The most important questions about 2NAD
There are three major questions then: why, how, and who? For all of these, we can only provide our best estimates.
How do they do it?
When we look at how it was done, there are two options:
- They are manually cloned
- They are cloned by some automatic process
For either option, we first assume that there aren’t just 27 developers. We found 27 app developers, but the current existing number is only known by the 2NAD organizers themselves. Beyond that, there are certainly developers that had been deleted from the 2NAD network in the few years it’s been around. Perhaps the number is around 30 in total at the moment, but may be 50 or even 100 in the entire existence of the network.
Given that, for option 1 we have to assume that for 30-100 developers, it would take a bit of manpower and would require perhaps 5-10 people. This includes not just finding apps to clone (or creating master templates to duplicate), but also the marketing and success of each app. For example, the Hudson Parker app Makeup Camera gained about 500,000 installs in the span of roughly 2 weeks. That didn’t happen by accident.
However, since these apps are very lightly edited from their originals (simple changes in colors and buttons in the UI, and small details in the APKs), it’s very likely that it’s an automated process at some point. For this, we can assume that option 2 fits best, with some sort of automation also included into ranking the apps.
Why do they do it?
As for why, we can only guess. You may not like it for its lack of creativity, but the most obvious answer is that they’re doing it for money.
Specifically, they are adding so many ads at every single user interaction that it amounts to spam. Even now, our test device has the same spammy messages from all similar apps. The why then becomes easy: they get a large user base (~70 million and counting) by doing absolutely nothing out of their own initiative.
If it is an automated process to find popular apps to clone or to duplicate master template APKs, then it could be a matter of minutes or max an hour to change the small details. After that, it’s a process of getting the app approved and set up on the Play store, arranging the business side of things, and finalizing the details.
If it’s even a day for each app, it isn’t a lot of work for the ad revenue. So how much money could they be making?
Some estimates give $0.10 per banner ad click, $1-$3 for interstitial ads, and $5-$10 per video ad shown.
So let’s run some estimates based on these numbers. Our base estimate is that all the apps in the 2NAD network have the same amount of intrusive ads. At 65 million installs, and 10% are monthly active users, you’ll get 6.5 million per month. That comes out to almost 217,000 ad displays per day. If they’re all banner ads, that equals 3,255 banner clicks per day, which equals $325 per day and almost $10,000 per month.
Going through the ranges (and keeping everything else the same), that’s $3,255-$9765 per day (almost $293,000 per month) for interstitial ads. And for video ads, at $5-$10 per video shown? That’s $16,275-$32,550 per day, equaling $488,250-$976,500 per month.
Of course, the real revenue is probably closer to the bottom than the top, but nonetheless, a range of $10,000 to nearly $1 million per month is not a bad hustle, especially for the little work done.
We sent the available APKs for the remaining 2NAD apps to Pradeo, a mobile security company that helps assess the 2NAD network’s purpose and any possible vulnerabilities. After their analysis, they found that:
- The network has industrialized their activity, along the way cloning apps and embedding their code, and finally building a dedicated library to fasten the process
- They relying on the domain http://market.playup.mobi/latest to update their ads content. The domain, reserved by the the anonymizing Domains By Proxy, LLC, dates back to 2017 and is oddly marked as “ClientRenewProhibited,” which is an uncommon status that prevents any renewal.
According to Caroline Borriello, COO for Pradeo, “Such a massive inclusion of ad libraries and request of various permissions clearly increases the risk of personal data leakage. If those apps are not strictly speaking malicious, they definitely affect end-users both in their user experience and privacy and on another end jeopardize real apps owner in their legitimate activity.”
Who is behind the 2NAD network?
This is the biggest question we had, and the one for which we seem to have the least amount of answers. Because of some numbers in some of these 2NAD app pages (520000, 420000, 300000) we get what looks like Vietnamese postal codes. But honestly, that could mean anything.
Beyond that, we have details in the APK files that point us instead towards China (or at least the Chinese market):
2NAD Alex Joe’s only app:
There aren’t a lot of reasons to include China Telecom APIs in your app unless you’re operating in China. We see something similar with the apps from Rusty Mari/Virgilo Malley:
Nonetheless, we believe the 2NAD network to be operating from somewhere in Asia, which makes the revenue range even starker, given the lower cost of living in most Asian countries.
Of course, if they are Chinese, then we may have issues of privacy that often arise.
What to do next
My next advice is going to be very simple: delete them, delete them all.
This is not just because of a suspicion of bad behavior: this is because of the high likelihood of cloned or duplicated apps, apps that provide inferior experiences compared to the original apps.
Beyond that, we have no real idea of what these apps are doing, as we haven’t yet performed a deep analysis. For your edification, the list of 101 apps by the 2NAD app developers is as follows:
|2NAD App developer||App name|
|Daniel Malley||Glitch Effect Video, Photo Editor Grainy Effect|
|Daniel Malley||Mod for Minecraft, Mods For Minecraft Animals 2019|
|Daniel Malley||Voice Changer, Voice Recorder Editor With Effects|
|Daniel Malley||Sketch Photo Editor And Pencil Sketch Art|
|Daniel Malley||Horoscope 2019 With 12 Zodiac Sign Master|
|Alex Joe||Face Makeup Camera & Beauty Photo Makeup Editor|
|Arrow Frankie||Video Editor With Music App, Video Maker Of Photo|
|Arrow Frankie||Call Recorder Automatic, Call Recording 2 Ways|
|Rusty Mari||Screen Recorder With Facecam & Audio, Video Editor|
|Rusty Mari||Nucie Cam: Beauty Selfie Camera With Photo Editor|
|Weldon Hazeltine||PDF Scanner Camera Scanner: JPG To PDF Converter|
|Weldon Hazeltine||App Locker Fingerprint, PIN And Gallery Locker|
|Weldon Hazeltine||Photo Collage Maker And Picture Grid Art Frame|
|Weldon Hazeltine||Metronome And Tuner For Instrument|
|Weldon Hazeltine||Relax Sound Sleep Music And Soothing Sounds|
|Jacinto Macias||Cut And Paste Photo Editor With Background Eraser|
|Jacinto Macias||Screen Recorder With Audio And Facecam, Screenshot|
|Jacinto Macias||App Locker With Password Fingerprint, Lock Gallery|
|Jacinto Macias||Video Maker With Music Photos, Video Effects App|
|Jacinto Macias||Photo Collage Maker And Picture Grid, Photo Layout|
|Jacinto Macias||Video Editor, Video Maker With Music Photos & Text|
|Flavia Sleeman||Video Editor With Music And Effects & Video Maker|
|Flavia Sleeman||Cut And Paste Photo Editor To Change Background|
|Flavia Sleeman||Screen Recorder, Game Recorder With Facecam, Audio|
|Flavia Sleeman||JPG To PDF Converter With Camera Scanner To PDF|
|Flavia Sleeman||Bubble Level Ruler With Inclinometer Free|
|Douglas Morace||RAR File Extractor And ZIP Opener, ZIP RAR Creator|
|Douglas Morace||Automatic Call Recorder Incoming And Outgoing App|
|Douglas Morace||App Locker With Password, Photo Gallery Locker|
|Douglas Morace||Color Call Screen Themes With Flash On Call|
|Dulcie Lawing||Glitch Effect Video Editor And Vhs Effect Photo|
|Dulcie Lawing||Internet Browser Private To Download Videos HD|
|Dulcie Lawing||Dual Account Double Space, Multi Account App|
|Dulcie Lawing||Alarm Pill Reminder, Medical Reminder And Tracker|
|Dulcie Lawing||Pixel Art Color By Number & Sandbox Coloring Game|
|Dulcie Lawing||Period Tracker, Menstruation & Ovulation Calendar|
|Kylian Mbapee||Call Screen Themes With Flashlight On Call|
|Kylian Mbapee||App Locker Fingerprint & Password, Gallery Locker|
|ProCam – HD Camera||Video Player All Format 2019 With Media Player App|
|ProCam – HD Camera||Photo Collage Maker And Photo Grid 2019 New|
|ProCam – HD Camera||Video Editor Of Photos, Video Recorder With Music|
|ProCam – HD Camera||MP3 Music Player, MP3 Cutter Ringtones Maker|
|ProCam – HD Camera||Beauty Camera, Makeup Photo Editor And Makeover|
|ProCam – HD Camera||PIP Photo Editor With PIP Camera Photo Maker 2019|
|Evan Well||School Hairstyles Step By Step, Braiding Hairstyle|
|Evan Well||Pixel Art Color By Number 2019 & Sandbox Coloring|
|Evan Well||Jigsaw Puzzles For Adults And Picture Puzzles|
|Evan Well||Flower Drawing Step By Step With Mandala Coloring|
|Evan Well||Photo Editor With Square Blur Pic, Slim Body|
|Evan Well||Vlog Editor And Video Maker With Music Photos|
|Samuels Dynamo||Battery Charger With Battery Saver And Optimizer|
|Samuels Dynamo||Memory Booster And Cleaner With Ram Optimizer|
|Samuels Dynamo||Volume Booster and Equalizer, MP3 Music Player|
|Samuels Dynamo||Phone Cooler Master And CPU Cooling 2020|
|Fruit VPN – Better Connect||Kiwi VPN Connection For IP Changer, Unblock Sites|
|Carrie Waters||Volume Booster & Sound Enhancer Music Player|
|Carrie Waters||Cooler Master CPU Cooling, Free Phone Cooler|
|Carrie Waters||Antivirus Cleaner Mobile Security & App Locker|
|Antoine Kenyon||Internet Speed Test Meter And WiFi Test Speed|
|Antoine Kenyon||Perfect VPN Proxy To Unblock Sites With IP Changer|
|Antoine Kenyon||Data Saver And Data Manager To Control Data Usage|
|Antoine Kenyon||GoFox – Incognito Browser And Private Web Browser|
|Darry Cowlly||Running Tracker With Step Counter And Calories|
|Darry Cowlly||Buttocks Workout: 30 Day Workout & Diet Challenge|
|Gaspard Aden||Automatic Call Recorder Both Sides To Record Calls|
|Gaspard Aden||App Locker With Password Fingerprint, Lock Pattern|
|Alfred Persen||Volume Booster Music Player And Sound Booster|
|Hwan Seon||QR Code Scanner & Barcode Reader, Product Checker|
|Hwan Seon||Assistive Touch: Easy Touch With Control Center|
|Hwan Seon||Voice Recorder And Editor With Cut Recorded Audio|
|Virgilo Malley||Video Slideshow With Music And Photos, Video Maker|
|Virgilo Malley||Beauty Camera Makeup Face Selfie, Photo Editor|
|Virgilo Malley||Cut Photo Editor Background Changer, Photo Filters|
|Virgilo Malley||Vintage Camera With Photo Editor Filters & Effect|
|Hudson Parker||Screen Recorder With Facecam & Screenshot Capture|
|Hudson Parker||Video Editor, Video Maker With Music Photos & Text|
|Hudson Parker||Makeup Camera and Beauty Makeover Photo Editor|
|Hudson Parker||Pixel Art Color By Number & Sandbox Coloring Pages|
|Wilfred Wessner||CPU Phone Cooler To Cool Down Phone Temperature|
|Wilfred Wessner||UltraShark VPN – Free Proxy Server & Secure VPN|
|Wilfred Wessner||Caller Screen Themes With Color Call Flash Screen|
|Adaline Garraway||Video Maker: Video Editor With Music And Slideshow|
|Adaline Garraway||Math Solver With Steps & Graphing Calculator|
|Adaline Garraway||Emoji Keyboard Themes & Color Fancy Keyboard|
|Adaline Garraway||Slow Motion Video Editor & Fast Speed Video Maker|
|Adaline Garraway||Graphing Calculator And Equation Solver Calculator|
|Armel Bilton||App Locker With Password Fingerprint, Photo Locker|
|Armel Bilton||Video Maker Of Photos & Effects, Slow Motion Video|
|Lukas Podolskies||Video Creator With Music & Video Maker Of Photos|
|Lukas Podolskies||Math Solver Camera With Equation Calculator|
|Lukas Podolskies||Mods For MCPE, Maps For Minecraft PE Free|
|Lukas Podolskies||Automatic Call Recorder Incoming And Outgoing Call|
|Lukas Podolskies||Fake Caller With Prank Calling & Call Simulator|
|Lukas Podolskies||Builder For Minecraft With Minecraft House|
|Lukas Podolskies||30 Day Challenge Workouts For Women, Weight Loss|
|Noble Gracious||RAR File Extractor And ZIP Opener, File Compressor|
|Noble Gracious||Screen Recorder With Audio And Facecam & Editor|
|Noble Gracious||Video Maker: Video Creator With Music And Photos|
|Noble Gracious||Makeup Photo Editor With Auto Makeup Camera|
|Noble Gracious||File Transfer To Another Phone And Share Anything|
|Noble Gracious||Voice Recorder Editor And HD Audio Recording|
The article was updated on April 22 to list all 101 apps within this network.