Android apps with millions of downloads found to be violating user privacy

A recent BuzzFeed investigation found that six Android apps owned by the Chinese company DO Global - a spinoff of Chinese tech giant Baidu - have been committing ad fraud, asking for unnecessary permissions, and concealing their owners. One of the apps, Selfie Camera, has been installed more than 5 million times from the Google Play store and has a 4.5 star rating. In total, the six apps in question have more than 90 million downloads.

On the ad fraud front, researchers at Check Point found that the Selfie Camera app was sometimes running in the background of users' phones, eating battery and data. The code would search for whether or not the user had clicked on an ad recently and, if they hadn't, click on it for them and thereby generate revenue for the company. The researchers found fake clicks on ads from both Google's mobile ad network, AdMob, and Twitter's mobile ad network, MoPub.

"It's not something you can say is in the gray area - it's a clear-cut fraudulent activity," Aviran Hazum, the analysis and response team leader for Check Point, told BuzzFeed News.

Google responded to the reports of fraud first by saying that the apps would remain in the store while they investigated. They later removed and blacklisted all of them.

"We explicitly prohibit ad fraud and service abuse on Google Play. Developers are required to disclose the collection of personal data, and only use permissions that are needed to deliver the features within the app," a company spokesperson said in an emailed statement. "If an app violates our policies, we take action that can include banning a developer from being able to publish on Play."

According to user reports, the Selfie Camera app also included unlisted "performance enhancements" that interfered with phone functioning. A malware researcher hired by the BuzzFeed team found that the app included "a hidden battery monitor, CPU cooler, and the ability to view external websites, among others."

In addition to click fraud and hidden features, all but one of the the DO Global apps listed their developer as "Pic Tools Group (Photo Editor& Photo Grid&Collage)" instead of DO Global or Baidu. This concealed the fact that they were owned by Chinese companies, a country with a poor record when it comes to data privacy. It also explicitly goes against Google Play policy, which disallows "apps or developer accounts that impersonate any person or organization, or that misrepresent or conceal their ownership or primary purpose ... or conceal their country of origin and that direct content at users in another country."

Finally, all of the apps had confusing or misleading privacy policies. (Which were, oddly, hosted on the following Tumblr blogs: dreamilyswimmingwizard.tumblr.com, yesexactlyinnerbouquetstuff.tumblr.com/, and superiorzzr.tumblr.com.) The policies were either vague about what information was being collected by whom or were outright false, such as the Selfie Camera app claiming it does not collect user data.

This isn't the first time Android apps have been discovered to violate user privacy - and it won't be the last. Until Google chooses to self-monitor their app store more closely, privacy-minded consumers should be cautious about the apps they download.

Share this post

About Tenta

Tenta is a next generation browser designed for privacy and security. Built-in true VPN, full data encryption, video downloader, secure medai vault, HTTPS Everywhere, Tenta DNS, and more.

View all posts by Tenta >

Install Tenta Browser Free!

Start protecting your online privacy today with Tenta Browser.

Download Tenta Browser Google Play Button