Image editors, custom keyboards and themes for the Android operating system were the bait to hook users of the platform in a malicious campaign that reached 10 million installations before being taken down. The nearly 30 applications identified carried viruses that displayed ads, stole passwords and social media accounts, or enrolled users in paid services without his knowledge.

This is an ongoing contamination network, with one of the malware variants appearing on the Google Play Store at least as of May 2022. In most cases identified by security experts Dr. Web applications would ask for permission to display screens over other legitimate software, with that access being used to insert ads where they shouldn’t be or in place of legitimate advertisements, with the proceeds going directly into the pockets of criminals.

Android apps that masquerade as image editors and utilities ask for permission to display overlays, which are used to display fraudulent ads to users (Image: Playback/Dr. Web)

The software also concealed its presence among the apps installed on the cell phone, replacing the icon itself with that of tools related to the SIM card and other elements of the operating system. One of them, the Neon Theme Keyboard, came to accumulate, alone, more than one million downloads in the promise of delivering a colorful keyboard with striking colors; it remains available, although it now garners dozens of negative reviews.

The second wave of malicious applications discovered by Dr. Web is related, once again, to Joker, a malware that has frequently appeared in contamination campaigns that use the Google Play Store. He is responsible for registering the user in paid services without authorization, with the victim, often, only realizing the problem when he sees the credits run out or receives the phone bill.

At least three apps on the list remain on the official Android store, some even delivering what they promise while carrying out the malicious activities (Image: Reproduction/Dr. Web)

Here again, two apps are still available on the Google Play Store, with the contamination coming in the guise of an app for water reminders and another for yoga exercises. They effectively deliver what they promise and, together, they already have more than 200,000 downloads, which automatically translate into earnings for the crooks.

Apps that promise to cartoonize the photos of Android users were bait to steal credentials from Facebook and other social networks (Image: Reproduction/Dr. Web)

Finally, the security report indicates two software, YouToon – AI Cartoon Effect and Pista – Cartoon Photo Effect, that promise to cartoonize users’ photos, but would be responsible for the theft of credentials. The main focus here would be Facebook accounts, with the cumulative total of 1.5 million downloads showing that a lot of people may have fallen for the scam.

What are the dangerous apps for Android?

The complete list of rogue apps identified by Dr. Web is below. According to the researchers, with the exception of the three mentioned in the report, all of them have already been removed by Google:

Photo Editor: Beauty Filter (gb.artfilter.tenvarnist)

Photo Editor: Retouch & Cutout (de.nineergysh.quickarttwo)

Photo Editor: Art Filters (gb.painnt.moonlightingnine)

Photo Editor – Design Maker (gb.twentynine.redaktoridea)

Photo Editor & Background Eraser (de.photoground.twentysixshot)

Photo & Exif Editor (de.xnano.photoexifeditornine)

Photo Editor – Filters Effects (de.hitopgop.sixtyeightgx)

Photo Filters & Effects (de.sixtyonecollice.cameraroll)

Photo Editor : Blur Image (de.instgang.fiftyggfife)

Photo Editor : Cut, Paste (de.fiftyninecamera.rollredactor)

Emoji Keyboard: Stickers & GIF (gb.crazykey.sevenboard)

Neon Theme Keyboard (com.neonthemekeyboard.app)

Neon Theme – Android Keyboard (com.androidneonkeyboard.app)

Cashe Cleaner (com.cachecleanereasytool.app)

Fancy Charging (com.fancyanimatedbattery.app)

FastCleaner: Cashe Cleaner (com.fastcleanercashecleaner.app)

Call Skins – Caller Themes (com.rockskinthemes.app)

Funny Caller (com.funnycallercustomtheme.app)

CallMe Phone Themes (com.callercallwallpaper.app)

InCall: Contact Background (com.mycallcustomcallscrean.app)

MyCall – Call Personalization (com.mycallcallpersonalization.app)

Caller Theme (com.caller.theme.slow)

Caller Theme (com.callertheme.firstref)

Funny Wallpapers – Live Screen (com.funnywallpapaerslive.app)

4K Wallpapers Auto Changer (de.andromo.ssfiftylivesixcc)

NewScrean: 4D Wallpapers (com.newscrean4dwallpapers.app)

Stock Wallpapers & Backgrounds (de.stockeighty.onewallpapers)

Notes – reminders and lists (com.notesreminderslists.app)

Paying attention to developers and comments is a good way to protect yourself. When looking for a mobile app, prefer solutions by recognized and reliable developers, who have a good track record and positive reviews on the Google Play Store; the same is also true for iPhone and iPad users.

Do a Google search for the name or type of application you want to find lists of suggestions on tech sites and, if not, reports like this one that cite the danger of certain applications. Finally, keep the operating system and antivirus software installed on the device up to date so that they can detect the most common attack vectors.

When downloading an app, note the requested permissions and assess whether the solution actually needs them — a sign of strange behavior is, for example, a water reminder app requesting access to the camera or text messages. Also, be on the lookout for software that asks for a license to use Android’s accessibility services, except when necessary, a common avenue for cybercriminal attacks on the platform.

