Google Purged Almost 1,000 Abusive 'Creeperware' Apps. Now Some Are Coming Back.

In June 2019, a group of cybersecurity researchers notified Google of more than 1,000 potentially malicious apps on the company's Play Store that can be used to surveil, monitor, and harass users. Their findings, which have not previously been reported, eventually led to one of the largest ever mass removals of Android apps. Less than a year later, there are signs that the "creeperware," as the researchers called it, is returning. From a report: The label comprises a broad category of abusable apps, including tools for spying, spoofing phone numbers, and secretly recording video and audio. Some of those programs banned by Google have now rebranded or added disclaimers and returned to the Play Store. Meanwhile, new programs with overtly abusive purposes have slipped through the company's automated monitoring systems. The initial 1,095 apps flagged by researchers came in a variety of forms. Catch Cheating Spouse and its ilk offered stalkerware packages: Once installed on a victim's phone, the user could track the device's location, read messages, listen to calls, remotely record through the microphone, or log passwords. Many of the programs had innocuous names but hostile purposes. Spoof Text Message, for example, advertised itself with a video using the tagline "Don't like your buddy's girlfriend? Well, break them up!" Others, like GirlFriend Cell Tracker, were more explicit in their motivation. "When we reported these apps to Google initially, it felt like they didn't really know what to do with them," said Kevin Roundy, the technical director of NortonLifeLock's research group, and one of the lead members of the team that uncovered the malicious apps last June.

Extreme permission requirements = malware

[Insanity Defense]

So given the extreme permissions most apps seem to insist on (without actually needing) most apps are malware.

Creeperware == That's the intended purpose

[DrYak]

These apps are intentional malware: the extreme permissions are part of the job description.

E.g.: while you are busy elsewhere, your ultra clingy and overly jealous SO (cue in internet memes of "overly attached girlfriend"), quickly installs such an app and grants it broad "constantly stream all of the sensors over internet in background" permission, in order to spy on you. (In addition to opening your phone to half of the blackhat hackers on the planet. But that's what most ads attempt to do any way. The novelty of "creeperware" and other such abusive harrassment apps, is that your SO gets to spy on you too)

These type of apps pray on the insecurity of jealous girlfriends/boyfriends, to lure them to intentionnally install a spying malware on their love interest's smartphone.

Re:

[Insanity Defense]

These apps are intentional malware: the extreme permissions are part of the job description.

Any app that calls for accesses that are not required for the user function performed is malware by definition. For example it performs no function for the user if an E-book reader app "requires" access to your GPS, camera and microphone. Yet all too many apps that have no user function connected with these "require" access to features like this. This is malware.

Re:

[junglee_iitk]

And they also help abused SOs collect some evidence, and abused employees collect some evidence etc.

Re:

[flyingfsck]

These creepers have now rebranded as Covid-19 infection trackers.

Re:

[jellomizer]

And/or just poorly designed programs.

When I was a kid, I did some Linux Development, my programs would only run as root. Because at the time my Dev Experience was was MSDOS programming where there were never permissions. And my trouble shooting was keep on turning on/adding libraries mostly blindly until it worked. As I was at the knows enough to be dangerous but not enough to know that I don't really know what I am doing.

Lucky for me I was still a kid at the time, with little power and ability to distrib

Re:

[thegarbz]

You're not wrong. Any truly popular app will spawn hundreds of abusive ripoffs with the same title. The PlayStore is an absolute cesspool of fraud.

I could say yiha!

[delirious.net]

1000 removed. wow good job. But this should have been default: they should not have been there in the first place. Coming back? Insane. use your god damn synthetic intelligence some more, google.

Re:

[sreid]

or make it more difficult to be a publisher on the play store?

Re:

[nitehawk214]

And when Google makes it impossible to side-load apps, people will complain about that too.

I think this goes to prove that the walled garden protects nobody except the company that runs the garden.

Having useful permissions and security built into the phone would solve this problem. The current "They loaded it form the appstore and clicked an ok button? Cool, give the access to everything!" is garbage.

Re:

[phantomfive]

Yeah, if there are 1,000 then there are 10,000, because there is no process to keep them out.

The gray line.

[jellomizer]

I feel the problem is with most technology is that it could be used for good reasons and bad reasons.

That rock that Ug used to get the marrow from the mammoth that died, to feed his family for a week. Is also the same rock he used to smash his rival's head who was approaching on his territory.

Tools we have today to make sure our kids and family are safe, can be used to spy to hurt people too.

For example, I help a friends family who all had iPhones to setup the Find My Friend feature in iOS. Because their fa

Irrelevant.

[Gravis Zero]

Google makes the rules for the App store. They can decide that there are no gray areas at all if they want to.

Re:

[jellomizer]

There is always a gray line. But Google can narrow it.

Creeperware

[PPH]

Please. We prefer to call them 'mandatory contact tracing apps'.

Re:

[ArchieBunker]

Are you one of the nutters who think the state isn't going to open back up until everyone installs the app on their phone?

Re:

[burningcpu]

Where'd you get that from? He was making an unrelated joke and you went political-angry.

Re:

[ArchieBunker]

Some conspiracy loons are saying this.

Re:

[Ostracus]

Show us on this phone where the app touched you inappropriately.

Is Google play services exempt?

[WaffleMonster]

Google play services is creeperware that stalks hundreds of millions of people 24x7. Google should purge it.

Re: Is Google play services exempt?

[Reverend Green]

When a crappy shovelware app snoops on a few thousand people we call that "creepy".

When Big Brother Google snoops on a few billion people we call that "totalitarianism".

Creepware?

[Random361]

And here I thought to qualify as "creepware" you needed to to transmit over someone's baby monitor menacing things like "I'm going to get you!" or screams or sounds of torture or something equally disturbing. Looks like we've moved it to the Google Play Store. The Watcher on Android [apkfab.com] and The Watcher on iOS [apple.com].

We've come a long way since the time a person could scream maniacal laughter or a chainsaw or heavy breathing into a baby monitor from across the neighborhood or apartment complex. Those were the days!

google needs to keep a tight reign on playstore

[FudRucker]

since people use their phones for banking and finance, and other very important tasks that involve their finances and and other important personal information, i would hate to think the important software i use is sitting on the same servers as malware intended to steal my personal information i would take a hammer to my android phone and change my banking info, and i will if google dont get their shit straight and consider suing them if i lose money because of their lack of security

Default should be 'deny until vetted"

[couchslug]

The public don't need thousands of apps and absurd duplication levels. Google should deny apps Play Store access until they're tested by a human and properly vetted.
Google should also charge a reasonable fee for Play Store access, say a thousand dollars, to deter frivolous additions.

The Play Store is a cesspool

[thegarbz]

Any partially popular app in the Play Store is a real risk to users, not because of the original publishers but because of the thousands of knockoffs.

Take the once popular QuickPics gallery. It was great until it was bought by a Chinese company which filled it with malware. Then it got pulled from the Play Store when Google purged all of that developer's apps. Since then a whole lot of "clones" have popped up with a very similar title, even an identical icon, all with very dubious developer names. All 1-2 star ratings, all complaints of adware and crappy performance, and above all it seems most of these 1 star reviews seem to have no clue they downloaded a knockoff and are questioning why their once great app has fallen so low.

I'm not a fan of Apple's heavy handed curation, but if you're going to pretend to be an authority on what is good for users and flash up warnings when users install things from outside your store, you damn well better put a bit more effort in to your official store.

Typical Google

[awwshit]

I think they only wall off the garden to hide the weeds.