The scourge of Android permission abuse has reared its ugly head again in the latest disclosure from the research team at VPNpro. The new report focuses on a Chinese “spyware” app with more than 100 million installs. Worse, the developer behind the app has other dangerous titles with at least 50 million installs. According to VPNpro, those apps request “dangerous” permissions, and at least one of them is also hiding a malicious remote access trojan.
Beyond the reported technical abuses, the report also highlights the issue of obfuscation—we have seen networks of related developers hiding their links before, and here we have allegations that the Chinese developer masked its origins behind local subsidiaries in presenting apps on Play Store.
There have been multiple reports now into both of these issues. To its credit, Google has pulled networks of apps that abuse permissions or spew adware once installed. The permissions issue, though, is more complex. Googlehas taken steps to encourage developers to keep in line but that is not enforced. It should be mandatory. There is no excuse for permission abuse that puts hundreds of millions of users at risk for the sake of ruthless monetisation, especially as it also opens the door to much more malicious threats.
The developer in question this time is Hangzhou-based QuVideo Inc, its most popular app being VivaVideo. VPNpro describes this as “one of the biggest free video editing apps for Android, with at least 100 million installs on Play Store.” We shouldn’t be too shocked at the claims the app is up to no good—it was one of 40 Chinese apps listed by the Indian government in 2023 as “either spyware or ‘malicious-ware’.” Military personnel were instructed to delete it immediately.
According to VPNpro, QuVideo has three apps on Play Store, although it appears to be networked to others as well. It also has apps on the iOSApp Store, but the permission situation with iOS is different and not open to the same abuse.
It lets the Chinese government see a user’s photos, internet history, messages, contacts, and information from 960 other apps. Oh, and they can turn on your smartphone’s flashlight, too.
An app released by the Chinese Communist Party earlier this year has been found to have virtually unlimited access to the data on a user’s Android smartphone—and the consequences are horrifying, reports the Washington Post. The app, called “Study the Great Nation,” was released by the Chinese Communist Party back in January, and by April Chinese state media said it had become the most downloaded app in China, with over 100 million downloads.
The app is essentially a study guide about Chinese President Xi Jinping’s ideology and allows users to read and comment on videos and news articles about his activities, as well as take quizzes based on the information the user has learned and have their results posted to leaderboards.
However, the app has been found to be much more than a simple propaganda tool. The U.S. government-funded Open Technology Fund contracted Germany cybersecurity firm Cure53 to dig into the app’s code to see what was hidden beneath. What Cure53 found is about as Owellian as it gets.
The “Study the Great Nation” app has what’s known as “superuser” access on Android devices. As the Washington Post explains, such status is essentially a free-for-all backdoor for the app’s developers, in this case the Chinese Communist Party, to do and see anything they want to on the user’s phone. As the Post reports:
This includes allowing the app to access and take photos and videos, transmit the user’s location, activate audio recording, dial phone numbers and trawl through the user’s contacts and Internet activity, as well as retrieve information from 960 other applications including shopping, travel and messaging platforms. It even requires the ability to connect to WiFi and turn on the flashlight, according to the terms listed by Xiaomi, another Chinese smartphone manufacturer.
“Study the Great Nation” is unfortunately a perfect example of how authoritarian governments can use a simple app to keep tabs on their citizenry.
It should be noted that “Study the Great Nation” is also available on iOS in China; however, the Washington Post says Cure53 did not investigate the iOS version of the app. Apple told the Post that iOS does not allow any type of “superuser” surveillance like Android does.
When Chinese government officials were contacted about the app’s findings, the State Council Information Office, responding for the Propaganda Department, said:
We learned from those who run the Study the Great Nation app that there is no such thing as you have mentioned.