PSA: Avoid shady Android launcher apps

by Till Kottmann

There are a lot of really weird and shady apps on the Play Store, yet they keep getting tons of downloads. That’s actually the only reason they still exist, it’s still incredibly easy to just throw a bunch of keywords in your app descriptions and make a whole lot of revenue. Today we’re going to dig into one of the main categories of these apps, Launchers. It’s usually not hard to tell if one of them isn’t really trustworthy, common red flags are:

Also look at the reviews, especially those with lower ratings, this kind of publishers tend to have paid positive reviews.

Yes, this app is just as shady as it looks, but somehow it has over 100.000 downloads.

How do they all look the same?

A lot of these apps all come from exactly the same developer group. They have multiple developer accounts to create tons of listings for the same app with minor look changes. This allows them to cover a massive amount of keywords and get millions of installs while staying mostly under the radar. Every now and then Google’s algorithm will bless one of them by featuring them on the Play Store homescreen for some users.

It's almost as if this was the same app (it is).

Why do these apps exist?

The first and foremost reason these work at all is because there are people that download them. Not everyone understands technology or apps well enough, to realize which apps are safe to use and which are not. It’s definitely not a bad idea to check the installed apps on the phones of your less tech savy relatives and friends (only with their consent of course), to make sure they haven’t fallen for any of these.

Almost all of these apps contain ads, usually from multiple SDKs, which generates not insignificant revenue through all the installs they get over all listings. A lot of them additionally upload analytics and other userdata to their own servers, which makes it quite likely they’re additionally selling this or using it for research.

Recently some of them have even gone as far as to start offering their prime offering not as an overpriced one time payment, but as a monthly subscription.

The 'Model X Launcher' premium offering is a bargain at only $36/year.

Who makes these?

I have no idea who has this little moral integrity to do something like this, but one of the developers I could trace most of the apps in this recent wave of launchers back to is KK Mobile. Their website is also part of the APIs these apps are using, which are obviously all based on completely unencrypted HTTP. Other API calls (also HTTP) mostly happen directly to these two IPs: 121.40.46.187, 47.74.185.216. A quick look on shodan is enough to know that these haven’t been patched in ages and are vulnerable to a whole list of CVEs. So to repeat this again, avoid this kind of launchers (or any other app category obviously) at all cost, there are always better alternatives available.

This post is based on this twitter thread.