Security researchers from Wandera analysed two adware apps and found that it had some concerning permissions that did not fit with their advertised purpose.
The two apps, SunPro Beauty Camera and Funny Sweet Beauty Selfie Camera, pose as selfie camera filters and has been installed over 1.5 million times.
On top of the normal permissions required by any app in order to gain access to the camera, the apps were identified having dangerous permissions. One of which is “SYSTEM_ALERT_WINDOW”, which allows the app to overlay random content. This permission can be utilised by threat actors for clickjacking purposes or to even trick users into typing sensitive data such as banking credentials.
Another concerning permission found on the two apps is “RECORD_AUDIO” which allows the app to record audio using the device’s microphone without notifying the user. This of course is a privacy risk.
Researchers also found that the apps were aggressively pushing adware onto the entire screen of a user’s Android device.
During a test, the researchers observed that once the app was installed, the app icon is visible in the app drawer. However once launched, the app creates a shortcut and then removes itself from the drawer.
“Even after uninstalling the shortcut, the app stays active and can be seen running in the background,” Wandera explained.
With SunPro Beauty Camera, even if the app is never launched and after restarting the device, full-screen ads start to pop up and become difficult to close. With the Funny Sweet Beauty Camera app, full-screen ads begin to pop-up outside of the app “only when a filtered photo is downloaded via the app, locally on the device.”
Both the apps have accumulated negative reviews on Google Play.
The apps were reported to Google on September 11, and have been removed from the Google Play Store.
Researchers have recommended users to check their app inventory for installations of these apps, and to “remove instances of the apps if they have been installed”.
The post #privacy: Selfie Android apps found recording audio without consent appeared first on PrivSec Report.