Android: Secret network of 27 app developers

[German]Security researchers have uncovered a secret network of 27 developers who have posted a total of 103 'potentially malicious' apps with 69 million downloads on the Google Play Store. The apps have now been largely removed from the Play Store by Google.


The information came to me last week directly from the CyberNews security researchers, who have since documented it here. The secret developer network includes at least 27 app developers. They exchange apps with each other, steal apps from popular developers, and have posted a total of 101 apps with fraudulent features to the Google Play Store. In total, the security researchers estimate 69 million downloads.

Little known about the group

Security researchers write that little is known about the secret network of these developers. The names of the App developers listed in the Google Play Store consist of two parts. They're mostly Western names or terms like Alex Joe, Hudson Parker (the names can be found in the linked blog post). Security researchers have referred to this group as a two-named app developer network (2NAD). The following criteria are common, which the security researchers noticed:

  • These apps require an immense amount of dangerous permissions that pose significant risks to users.
  • All 2NAD developers use the same privacy policy, which is all published in Google Docs.
  • The websites listed for each application are all based on the same incomplete Firebase "website", which all have the same URL structure. The link to the website is a shortened link.
  • When the researchers looked at the APKs, they found obvious duplicates of apps exchanged between the developers of the 2NAD network.
  • Some APKs were clearly stolen from other, more popular app developers outside the 2NAD network.
  • Comparing these duplicated or stolen applications, the duplication of apps is easily recognizable.

The problems of apps uploaded from the 2NAD network to the Google Play Store are many and varied. First of all, duplicating apps from other developers and stealing apps from other developers most likely violates Google's Android policies. In addition, these apps also violate other Android policies, including:

  • Misrepresentation, as they mislead their users and engage in "coordinated activity to mislead users" by not informing users that they are likely to be part of the same network.
  • Repetitive content that does not prohibit apps that have very similar (in specific cases almost 100% similar) features, content and user experience.
  • The "Made for Ads" policy, which does not allow apps whose primary purpose appears to be simply to display ads to generate advertising revenue.

The researchers write: In addition, it is bad for the user if cloned/stolen apps can, at best, provide a poor user experience and are inundated with ads. In the worst case, these apps can later be misused as vehicles for malicious purposes. This includes stealing data (the permissions are requested by the app) or introducing other malware.

The security researchers disclose further details in their article. Google has finally removed all but 1 of these 2NAD apps from the play store. The only app left from this network is the Video Editor, Video Maker With Music Photos & Text, originally published by developer Jacinto Macias. The new developer is Alla Morning. But if you find one of these apps (listed at the end of the linked article) on your Android device, you should delete it immediately.


Cookies helps to fund this blog: Cookie settings

This entry was posted in Android, Security and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *