Hundreds of millions of Android devices have potentially been compromised by malicious adware and ad fraud apps that on the surface appear to offer harmless services such as selfie filters, weather forecasts or VPN security, according to a trio of recently released research reports.

Late last week, researchers at mobile security company Wandera reported finding a pair of adware-spiked selfie filter apps in the Google Play Store, with more than 1.5 million downloads between them. A day later, a VPN review site reported that four virtual private network apps, collectively downloaded over 500 million times, were found to commit ad fraud. And just today, mobile technology firm Upstream warned that a weather forecasting app attempted to subscribe close to 700,000 mobile consumers to premium digital services without their consent over a six-month period.

Wandera identified the two selfie camera apps as Sun Pro Beauty Camera (more than 1 million downloads) and Funny Sweet Beauty Selfie Camera (more than 500,000 downloads). According to a company blog post, the apps deliver ads outside of the normal app environment, threatening to potentially disrupt productivity, brick devices and drain batteries.

The SunPro app delivers difficult-to-close full-screen ads, even if the program has never opened, and in spite of attempts to restart infected devices. It also has shady permission requests that allow it to record audio without user permission, as well as overlay screens with information that could trick users into unintended clicks.

The Funny Sweet app is a bit less intrusive, showing full-screen ads outside of the app only if someone downloads a filtered photo via the app, locally on the device. If users try uninstalling either app’s shortcuts, the app nonetheless remains active and runs in the background. It also has permissions for recording audio, displaying content over other apps and reactivating the app after a phone reboot.

Wandera says it reported the app to Google on Sept. 11, but did not indicate how Google responded.

“While it appears as though the apps were only impacting users by showing ads, the apps required extensive permissions, such as the ability to record audio and to persistently run on the device,” said Ido Safruti, co-founder and CTO at PerimeterX, in emailed comments. “This suggests that they were planning to perform additional tasks on the devices, effectively operating as a large mobile botnet.”

“The apps could be recording audio and uploading it to the cloud to be transcribed by a voice recognition service. Those transcriptions could then be parsed for keywords that are used to target users with ads, or to harvest any personal information divulged in the recordings,” said Paul Bischoff, privacy advocate at Comparitech, speculating on why the developers are seeking such permissions.

Researcher Andy Michael, who operates the “vpntesting” VPN review service, has identified four VPN apps that generate and display intrusive ads while apps are running in the background and even when outside the app environment: HotSpotVPN, Free VPN Master, Secure VPN – Unlimited Free & Super VPN Proxy, and CM Security Applock AntiVirus. All four apps are apparently from Chinese developers.

Michael said the apps personally affected his very own phone, forcing ads upon him while he was simply browsing his own media files. “As a user, not only do I think it’s treacherous for a privacy app to abruptly intrude my phone screen, but the constant HTTP requests keep the phone CPU heated and drain phone battery,” Michael wrote in a blog post.

HotSpotVPN, by developer HotspotVPN 2019, and Free VPN Master, from developer Freemaster 2019, share nearly identical code. The former was downloaded more than 500,000 times and the latter was installed over 1 million times. Secure VPN – Unlimited Free & Super VPN Proxy, from developer SEC VPN, was installed 1 million or more times.

But Security Master by Cheetah Mobile, from AppLock & AntiVirus, by far has the largest distribution numbers, having been downloaded at least 500 million times, Michael reports. “This application takes it a step further. Instead of constantly showing the ads the app leverages its enormous user base and intrudes less often and randomly,” Michael reports. “It uses a more sophisticated approach by popping up the app instead and showing the ads immediately after you try to get back to the home screen.”

Meanwhile, researchers at Upstream have reported that weather forecasting app The Weather Forecast: World Weather Accurate Radar, from Chinese company TCL Communications, has resumed engaging in ad fraud after briefly pausing its malicious activities in January 2019.

It was back in January 2019 that Upstream first announced its findings that the app fraudulently purchases premium services on users’ phones without their permission. Following the public disclosure, the app halted its activity for about two months and was also removed from Google Play, but it later returned to the store and once again began signing users up for services they didn’t want, Upstream researchers say in a press release today. The app also comes pre-installed on Alcatel Pixi 4 devices, the release notes.

Upstream claims to have blocked 34 million suspicious transaction attempts from the app since its ad fraud activity returned.

The malicious activity experienced a huge spike in April and continued in lower volumes through at least August. It seems lightning does strike twice. This weather app has [laid] low until the storm passed before returning to its old ways – with a spike in its rogue behavior just a couple of months after it was reported, followed by continuous suspicious activity in deliberately regulated volumes to continue siphoning funds while remaining below the radar,” said Upstream’s CEO Guy Krief in the release. “Repeat malware offenders are quite common as data available from Secure-D’s blocks reveals.  Unchecked, these apps can create billions of dollars of fraudulent advertising revenue while seriously impacting consumers’ pockets and mobile service experience by eating up their data, incurring unwanted charges and affecting the performance of their phones.”