Skip to main content

There are a lot of re­ally weird and shady apps on the Play Store, yet they keep get­ting tons of down­loads. That’s ac­tu­ally the only rea­son they still ex­ist, it’s still in­cred­i­bly easy to just throw a bunch of key­words in your app de­scrip­tions and make a whole lot of rev­enue. Today we’re go­ing to dig into one of the main cat­e­gories of these apps, Launchers. It’s usu­ally not hard to tell if one of them is­n’t re­ally trust­wor­thy, com­mon red flags are:

  • Keyword filled app names like S Launcher - S10/S9/S8 Launcher, S10 theme, cool’ (yes, this app ex­ists)
  • Built in theme/​wall­pa­per store as a ma­jor sell­ing point
  • Live/video/3D wall­pa­pers as a ma­jor sell­ing point
  • Battery/RAM boost­ers (these are a red flag re­gard­less of what they come with)

Also look at the re­views, es­pe­cially those with lower rat­ings, this kind of pub­lish­ers tend to have paid pos­i­tive re­views.

Yes, this app is just as shady as it looks, but somehow it has over 100.000 downloads.
Yes, this app is just as shady as it looks, but some­how it has over 100.000 down­loads.

How do they all look the same?

A lot of these apps all come from ex­actly the same de­vel­oper group. They have mul­ti­ple de­vel­oper ac­counts to cre­ate tons of list­ings for the same app with mi­nor look changes. This al­lows them to cover a mas­sive amount of key­words and get mil­lions of in­stalls while stay­ing mostly un­der the radar. Every now and then Google’s al­go­rithm will bless one of them by fea­tur­ing them on the Play Store home­screen for some users.

It's almost as if this was the same app (it is).
It’s al­most as if this was the same app (it is).

Why do these apps ex­ist?

The first and fore­most rea­son these work at all is be­cause there are peo­ple that down­load them. Not every­one un­der­stands tech­nol­ogy or apps well enough, to re­al­ize which apps are safe to use and which are not. It’s def­i­nitely not a bad idea to check the in­stalled apps on the phones of your less tech savy rel­a­tives and friends (only with their con­sent of course), to make sure they haven’t fallen for any of these.

Almost all of these apps con­tain ads, usu­ally from mul­ti­ple SDKs, which gen­er­ates not in­signif­i­cant rev­enue through all the in­stalls they get over all list­ings. A lot of them ad­di­tion­ally up­load an­a­lyt­ics and other user­data to their own servers, which makes it quite likely they’re ad­di­tion­ally sell­ing this or us­ing it for re­search.

Recently some of them have even gone as far as to start of­fer­ing their prime of­fer­ing not as an over­priced one time pay­ment, but as a monthly sub­scrip­tion.

The 'Model X Launcher' premium offering is a bargain at only $36/year.
The Model X Launcher’ pre­mium of­fer­ing is a bar­gain at only $36/year.

Who makes these?

I have no idea who has this lit­tle moral in­tegrity to do some­thing like this, but one of the de­vel­op­ers I could trace most of the apps in this re­cent wave of launch­ers back to is KK Mobile. Their web­site is also part of the APIs these apps are us­ing, which are ob­vi­ously all based on com­pletely un­en­crypted HTTP. Other API calls (also HTTP) mostly hap­pen di­rectly to these two IPs: 121.40.46.187, 47.74.185.216. A quick look on shodan is enough to know that these haven’t been patched in ages and are vul­ner­a­ble to a whole list of CVEs. So to re­peat this again, avoid this kind of launch­ers (or any other app cat­e­gory ob­vi­ously) at all cost, there are al­ways bet­ter al­ter­na­tives avail­able.

This post is based on this twit­ter thread.