Whenever we post “delete these apps” stories, we invariably see comments claiming that the malware apps in question are so bizarre and pointless, you’d have to be the dumbest Android user on Earth to download them in the first place (or something to that effect).
According to a new report from VPNpro, the Chinese company Shenzhen Hawk appears to have launched 24 different sketchy apps into the Google Play Store that have racked up a total of 382 million downloads. While you might not have been suckered into installing one onto your device, plenty of people were. And these apps all didn’t come from Shenzhen Hawk directly; the company used a number of different app developer names to obfuscate its motives.
While not all of these apps were as mischievous as the others, a number of them asked for specific permissions that exceeded what the app likely needed. For example, an antivirus scanner app might have asked to access your Android camera—not something we would expect it to need, were it only scanning files on your phone.
As Forbes’ Zak Doffman describes:
Of the 24 apps listed in the report, six request access to a user’s camera and two to the phone itself, meaning they can place calls. 15 of the apps can access a user’s GPS location and read data on external storage, while 14 can collect and return details of a user’s phone and network. One of the apps can record audio on the device or its own servers, another can access a user’s contacts.
Once installed, these apps can communicate with an external server controlled by their developers. By retrieving location and user details, the lowest risk is that this fuels targeted marketing, with user data sold to advertisers who will then be able to personalise unwanted ads for those users. Those servers are in China, and at least one of those apps—Weather Forecast—was reportedly sending user data there. The permissions granted would enable premium calls to be made, websites to be visited and additional malware to be downloaded onto a device.
Here are all the crappy apps you should delete
It’ll take all of one minute or so to check your phone and make sure you don’t have any of the scammy apps from Shenzhen HAWK—or the various app developer names it uses. Google has removed all 24 apps in question from the Google Play Store, but you’ll have to uninstall them manually. They won’t just disappear from your device.
The apps, ranked in order of downloads, are:
- Sound Recorder (100M)
- Super Cleaner (100M)
- Virus Cleaner 2019 (100M)
- File Manager (50M)
- Joy Launcher (10M)
- Turbo Browser (10M)
- Weather Forecast (10M)
- Candy Selfie Camera (10M)
- Hi VPN, Free VPN (10M)
- Candy Gallery (10M)
- Calendar Lite (5M)
- Super Battery (5M)
- Hi Security 2019 (5M)
- Net Master (5M)
- Puzzle Box (1M)
- Private Browser (500,000)
- Hi VPN Pro (500,000)
- World Zoo (100,000)
- Word Crossy! (100,000)
- Soccer Pinball (10,000)
- Dig it (10,000)
- Laser Break (10,000)
- Music Roam (1,000)
- Word Crush (50)
If any of these look like something you have on your device, you can also check to see whether the developer is one of the following:
- Tap Sky
- ViewYeah Studio
- Hawk App
- Hi Security
- Alcatel Innovation Lab
- Shenzen Hawk
If so, you should delete the offending apps. Don’t dawdle.
But it’s more than just deleting scammy Android apps
Even if you’ve been smart and haven’t grabbed any of those crappy apps, this whole deal is a great reminder that it’s important to think about what an app actually wants and needs whenever it asks for permissions.
There’s no one-size-fits-all answer to guide you on this one, and it’s possible you might not realize that an app actually needs a higher-risk permission to function (like your location or access to your camera). But if an antivirus app wants permission to record audio from your device, or a solitaire game needs access to your location and calendar, you might want to consider denying that permission up front and seeing if you can still use the app without issue. (I’d delete it and find a different app, but that’s just me.)
And since we’re on the topic, don’t forget about the app permissions section of Android 10 that you can use to see which apps you’ve granted access to various parts of your phone. On my Pixel, I can access this by tapping on the Settings app, Privacy, and then Permission manager. Once there, you’ll see a variety of permissions you’ve granted (organized by category), as well as however many apps are allowed to access features like your contacts, text messages, and microphone.
To change an app’s permissions, simply tap on it within any of these categories to switch between “Allow” and “Deny.”
Since, as mentioned, it’s hard to tell when an app’s permission requests are for legitimate uses or not, I think it’s also a great idea to get pickier about the apps you install on your Android. That doesn’t mean you should always stick to the “top” charts on the Google Play Store—since, obviously, the number of downloads an app gets has no impact on whether it’s trying to weasel malware onto your device. It also doesn’t mean that you can blindly trust anything that’s in the Google Play Store. Google tries to weed out bad actors when it can, but it’s far from perfect.
Instead, think about whether that new app or game you’re grabbing is really something meaningful that you need to have. Read some reviews—on the Play Store and from reputable third-parties—to see what they have to say about an app’s experience. Does it look like it was cobbled together quickly? Is it replication a feature that you could find from better, more noteworthy app developers? Is it mimicking something you can already on your phone? Have you ever heard of the developer before, and do the rest of their apps look legitimate or a too carbon-copy?
The best way to stay safe on any app store is to exercise some common sense. You don’t need every app that you stumble across, and you really shouldn’t let random apps have all the system permissions they ask for unless the requests seem legitimate. And take some time to prune apps you don’t use off your smartphone, so you can be sure that they aren’t just lingering around and causing trouble—if they’re scammy, that is.