If you’ve ever downloaded a beauty camera app, you should take a few minutes and read a new report by CyberNews.
The team, led by lead researcher Bernard Meyers, cautions consumers that some of these “free” apps may really come with a steep cost as they may be scraping and selling your data, pestering you with nonstop ads, redirecting you to phishing sites, or even just plain spying on you.
Of course, some of the above is not exactly breaking news. As the team notes, the #1 beauty camera app, BeautyPlus – Easy Photo Editor & Selfie Camera had hundreds of millions of installs and yet was identified as being malware or spyware and blacklisted by the Indian government by November of 2017.
The new report cites other examples where apps have been criticized for privacy issues or including malware or spyware. Of note, the researchers also claim that three developers — Coocent, KX Camera Team, and Dreams Roomthat — appear to be independent entities but may all be linked to one group in China. The researchers provide some evidence linking the three through common privacy policies on the same server. But then the researchers go on to speculate that these developers “may be connected to apps previously found to contain a widely-dispersed Trojan.” Their evidence for that is more tenuous, and seems to boil down to the name of one of the developers showing up in the ID for a family of malware.
But perhaps the most immediate concern raised by the report was their finding that Beauty Camera by Phila AppStore – an app that has been installed more than half a million times — seemingly goes ahead and accesses your camera without ever asking for your explicit consent to do so.
Bernard Meyer reports that he was surprised to see his face on screen because he never authorized the app to access his camera .
When the researchers dug into this problem a bit more, it appeared that as long as the user had granted access to the phone’s storage, the app was able to turn the camera on without ever requesting or obtaining the user’s consent.
Let’s restate that: this app is taking pictures and recording video without permissions. And team member and CyberNews COO Laura K. Inamedinova explained to me when I contacted them about their report:
If they’re not recording you now, you are allowing them to do that anytime they want, and imagine if all of these apps had a trigger to do it at the same time? While you’re sleeping? We didn’t analyze deeply to where the captured images or video are being sent, or what other data is being sent to servers in whatever location. The major point is: this app is clearly violating a fundamental app development policy, and therefore may be doing so on other fronts. In general though, would you trust such an app to be on your phone at all?
Well, I wouldn’t, but I tend to be a cynical suspicious soul who doesn’t care about vanity or beauty anyway. But I would hate to think of what might happen if this was on a phone that my children or grandchildren used.
The team also informed me that on December 18, they submitted their findings and concern about Beauty Camera by Phila AppStore to Google Play for Android using the required form. No response from Google has been received. If an app is accessing the camera without explicit permission, I would hope that Google would have removed it from the Play Store promptly.
But this one camera wasn’t the only problem the researchers found. Out of 30 beauty camera apps they tested, they found that too many were requesting too many dangerous permissions. Specifically:
● 1 app wants the ability to scan your contacts list
● 13 apps want access to your GPS location
● 10 apps want access to your coarse location (via cell towers and wifi networks)
● 23 apps want access to your microphone
● 30 apps want the ability to write files to your device
● 29 apps want access to your camera
● 29 apps want the ability to read files on your device
And while only a few permissions are required for the app to function, one app reportedly included a whopping 40 total permission requests.
The researchers give readers some sound advice:
● These apps are non-essential, as they provide no crucial function
● The top-ranked apps are created by developers with spotty reputations, outright
malicious behavior, or using unethical practices
● There are bigger, more dependable apps out there that have similar features, are
more accountable and with a clearer ownership structure, such as Messenger,
Snapchat, Instagram, etc.
You can read CyberNews’ full report at https://cybernews.com/security/popular-camera-apps-steal-data-infect-malware/
PogoWasRight.org sought a response from Phila AppStore to the researchers’ finding, but the first attempt failed to be delivered, and the second attempt did not get an immediate reply. This post will updated if and when I do get a response from them or an update on the situation.