These Android privacy apps might be distributing malware and spying on you
In the days of omnipresent leaks, breaches and corporate or state surveillance, storing your data without protection is no longer reasonable. That’s why more and more people are looking for spaces to safely store their most sensitive private pictures, videos, and messages.
Which is exactly what privacy vault apps are supposedly made for.
With a privacy vault app, you can move all of your sensitive data to a secret, password-protected (or even encrypted) folder on your phone. That way, even if someone else has access to your device, the likelihood of them discovering anything too sensitive becomes a lot lower. It’s one of the main reasons why privacy apps are widely used to privately store photos, videos, and even other apps away from the prying eyes of cyberbullies, government agencies, and hackers.
But some of these apps do the exact opposite: they spy on you when you’re the most vulnerable, sell your sensitive data to advertisers (or worse), or even infect your smartphone with adware or malware. (Learn how to scan your phone from viruses.)
First, there’s Vault - Hide Pics & Videos, App Lock, Free Backup, an app that has been downloaded and installed 50 million times. It has been identified as either malware or spyware, but instead of removing the app from Google Play, developer cxzh.ltd simply renamed it by changing a single word and continues to offer this and 19 other apps to unsuspecting users to this day.
Then, there’s Security Master – an all-in-one privacy, antivirus, and VPN app with 500 million installs whose developer Cheetah Mobile has been found to be “collecting all manner of private Web use data,” as well as committing ad fraud. (Update: as of March 3, 2020 Security Master has been removed from the Play store.)
And then, there’s Video Hider – Privacy Lock, the privacy app that apparently needs no permission to use your camera and simply takes your picture if you enter the wrong PIN when you open it.
Increase your online security and privacy by encrypting your internet connection and hiding your IP address.Protect your data now
Most of these apps are still up and available on Google Play and are still being used by more than half a billion people. If you have any of these dangerous apps installed on your smartphone, we suggest you remove them immediately and think twice before downloading suspicious apps from Google Play or any other app store.
Here’s what to look out for:
- Too many permissions: if all it does is move your photos to a secure folder but insists on knowing your location, consider looking for a less invasive app.
- It’s developed by a company you’ve never heard of: if it’s not made by a reputable developer, consider sticking to safer options from brands you already know and trust.
- If it’s free, you’re probably the product: many free apps on Google Play engage in unethical advertising or simply mine your data and sell it for profit, so, make sure to take that into consideration before trusting any free app with your privacy.
For this research, we downloaded and analyzed the top 30 apps on the Google Play store that were displayed when we entered the keyword “privacy app.” We then extracted the APK files from those apps and took permission data from those APKs. Our analysis was based on the following:
- The amount and potential risk of permissions the apps are asking for
- The reputation of app developers, including their location and any potential history of ad fraud, malware, vulnerabilities or unethical practices
App permissions were analyzed by generating Android permission reports from uploading the APKs on the Hybrid Analysis service. Initial data on Google Play app rankings was collected in February 2020 and updated in March 2020.
Summary of our results
The key takeaways from our research are quite worrying, to put it mildly:
- 18 out of the top 30 apps are based in China or Hong Kong
- One app can take your selfie without asking for permission to use your camera
- One app developer has been accused of committing ad fraud – its privacy vault app with more than half a billion installs has since been removed from the Play store
- Two top-10 ranked app developers with more than 60 million downloads in total, had apps identified as malware
- One app developer’s apps were found to be distributing malware
- These apps are requesting up to 14 dangerous permissions, 4 on average, most of which are unnecessary for the app to function
- Unnecessary permissions include recording audio, initiating phone calls, getting users’ exact GPS location, and using body sensors
- One app asks for a massive list of 170 permissions in total
Dangerous privacy apps in Google Play’s top-30 rankings
Our analysis of the top-ranked privacy vault apps in the Play store led to several eye-opening revelations. Here’s what you should know.
This privacy app took my selfie without permission
Most privacy vault apps have in-built camera features that allow users to take pictures which are instantly saved in the apps’ hidden picture galleries. However, during our initial analysis, we found that only 26 out of 30 apps asked for our CAMERA permission.
After our unpleasantly surprising encounter with a beauty camera app that used our camera without permission, we had a nagging suspicion – some of those four apps that didn’t ask for our permission to use our camera might in fact use it anyway.
As a result, I downloaded and installed these four apps and launched each of them in our test lab to see if our hunch was correct. Three of the four apps simply didn’t have any features that would use the camera.But then I installed Video Hider – Privacy Lock, an app that has 100,000+ installs and promotes itself as “your mobile privacy expert.” This app only asks for a single dangerous permission – WRITE_EXTERNAL_STORAGE. However, as I went through the app’s options menu, an interesting feature caught my eye:
The option to make an “intruder selfie” is a common feature seen in privacy vault apps – it makes the app use the phone’s front-facing camera to snap a picture of whoever is trying to access your vault by entering the wrong PIN. This was off by default.
However, when I turned it on, no prompt for the CAMERA permission followed. I then exited the app and deliberately entered the wrong PIN when prompted.
Here’s what I then found in the app’s hidden photo gallery:
It turns out that my suspicions were not wrong: the app used the camera without asking for the permission to do so.
So much for safeguarding our privacy, Video Hider – Privacy Lock. Interestingly, the app also has a private, “encrypted” notebook feature that offered me to start a secret diary with this creepy welcome message:
That’s when I promptly turned the app off and uninstalled it. Which, in case you also have it installed on your phone, I suggest you do as well.
Malware by any other name
The developers behind four top-ranked privacy vault apps, with more than 70 million downloads in total, have had their apps identified as malware or adware in the past.
The #6 ranked Vault - Hide Pics & Videos, App Lock, Free Backup by developer cxzh.ltd has been flagged as malware by the Indian government in 2017. So, what did cxzh.ltd do in response? They went ahead and renamed their app. That’s it. The app is still available to download on Google Play and has 50 million+ installs. Another app by the same developer, Lynx Privacy-Hide photo/video, Free 5GB Backup, is now #12 in the top-30 rankings and has been installed 500,000 times.
Following right after cxzh.ltd’s vault app is the #7 ranked LOCKit - App Lock, Photos Vault, Fingerprint Lock, made by SuperTools Corporation – a developer owned by SHAREit technologies – the company that was also identified as malware or spyware by India’s Ministry of Electronics and Information Technology. This app has been downloaded and installed by 10 million users. TOHsoft, the Vietnam-based app developer behind Applock - Fingerprint Password, has had one of its apps spreading a banking trojan that stole money from users’ PayPal accounts by misusing Android Accessibility services.
Applock - Fingerprint Password has 10 million installs to date.
Permissions to spy on you
Generally, privacy vault apps should require about two or three dangerous permissions to function: READ_STORAGE (to read your files), WRITE_STORAGE (to save these files in the vault) and CAMERA (to take a picture and store it in a hidden vault or take a snapshot of an intruder).
However, we found that some of these apps are asking for much more permissions than necessary. Our analysis shows that on average, the apps are asking for 4 dangerous permissions. One of these apps asked us to grant 14 dangerous permissions, including BODY_SENSORS – the ability to read data from sensors that measure what is happening inside the user’s body, such as heart rate.
Let’s take a look at what dangerous permissions these apps are requesting:
- 1 app wants the ability to read body sensors that measure things like steps and heart rate
- 1 app wants the ability to read and create your events on your calendar
- 1 app wants the ability to initiate internet telephony sessions (SIP)
- 3 apps want the ability to initiate phone calls
- 5 apps want to access your contacts list
- 5 apps want the ability to add new contacts to your phone
- 7 apps want the ability to record audio
- 6 apps want access to your GPS location
- 8 apps want access to your coarse location (via cell towers and wifi networks)
- 9 apps want access to your phone state
- 26 apps want access to your camera
- 27 apps want the ability to read files on your device
- 30 apps want the ability to write files to your device
But why do so many privacy vault apps need to track your GPS location, access your calendar, or monitor your heart rate?
Take a wild guess.
Why do these apps harvest so much of your data?
Whenever you download a free privacy vault app from the Play store, there’s a good chance that its creators make money by collecting your data and selling it to advertisers. Just by injecting a few lines of code to their apps, these developers can take whatever data their free app can collect from your phone and send it to data brokers for profit.
According to a New York Times investigation, the location-targeted advertising industry is worth approximately $21 billion a year, with “around 1,200 Android apps and 200 iOS apps” containing location-sharing code at the time of the NYT report.
With the data mining business booming and more data brokers entering the industry, crafty app developers can sell your data to multiple companies and stand to make a lot of money. As reported by BuzzFeed News, free app developer Cheetah Mobile “brought in $196 million in revenue” just in Q3 2018 from “utility products and related services.”
Who would have guessed that making free privacy apps that actually spy on you is quite a profitable business?
In light of the results of our investigation, our recommendation is to consider the following points before downloading any app from the Play store:
- Make sure to check what permissions it requires to function. You can do this by tapping About this app in the app description, scrolling down and tapping See more next to App permissions. If you feel that the app is asking for too many dangerous permissions, don’t install it.
- Google the app developer. If you notice their name mentioned in malware reports or around unethical behavior scandals, skip the app.
The full list of the 30 analyzed privacy apps is below.
|App Name||Ranking onGoogle Playfor "privacy app"||Installs March 2020||Number of dangerous permissions|
|Privacy Master - Hide, AppLock||#1||500,000||3|
|Video hider - privacy lock||#2||100,000||1|
|App Lock - Privacy lock||#3||500,000||2|
|Video Vault - photo hider & privacy keeper||#4||500,000||4|
|Sgallery - Hide photos, hide videos, gallery vault||#5||100,000||3|
|Vault - Hide Pics & Videos, App Lock, Free Backup||#6||50,000,000||9|
|LOCKit - App Lock, Photos Vault, Fingerprint Lock||#7||10,000,000||6|
|AppLock - Privacy Guard||#8||1,000,000||5|
|Private Photo, Video Locker||#9||5,000,000||7|
|Privacy AppLock - Apps & Photo & Fingerprint||#10||50,000||2|
|Lynx Privacy-Hide photo/video, Free 5GB Backup||#11||500,000||3|
|Calculator - Photo Vault hide photos & videos||#12||1,000,000||3|
|AppLock - Lock Apps & Privacy Guard||#13||1,000,000||3|
|Photo Vault PRIVARY: Hide Photos, Videos & Files||#14||1,000,000||3|
|Calculator Vault : App Hider - Hide Apps||#15||5,000,000||14|
|NEV Privacy - Files Cleaner, AppLock & Vault||#16||500,000||3|
|Hide Photos, Video and App Lock - Hide it Pro||#17||10,000,000||5|
|Calculator - Photo Vault & Video Vault hide photos||#18||5,000,000||3|
|Calculator Lock – Lock Video & Hide Photo – HideX||#19||10,000,000||4|
|LOCKED Secret Album = Hide Photo Vault, Video Safe||#21||50,000||3|
|Calculator Photo Vault - Hide Photos & Videos||#22||500,000||3|
|Keepsafe Photo Vault: Hide Private Photos & Videos||#23||50,000,000||3|
|Phantom.me: Invisible & complete mobile privacy||#24||100,000||6|
|AppLock - Lock Apps & Security Center||#25||1,000,000||7|
|Private Photo Vault||#27||10,000,000||7|
|Private App Lock||#28||100,000||2|
|Applock - Fingerprint Password||#29||10,000,000||3|
|Security Master - Antivirus, VPN, AppLock, Booster||#30||500,000,000||9|
Total installs: 678,600,000