I stumbled upon an app which seems out of place & has many strange permissions.
The function of the app could be served by a PWA.
A few things which stood out with this app:
- App size (100MB+)
- Questionable Permissions
- Strange App Reviews
Looking into the apk:
- Offers Relating To Cryptocurrency
- Face Verification Libraries
- ID Scanning Libraries
- Ability To Run On Device Start
- Ability To Force Device On (Wakelock)
This raises some questions regarding Google Play.
- Write System Settings
- Run On Device Startup
- Read & Write External Storage
- Require Camera Present
- Access Camera
- Access Microphone
The functionality of the app on Google Play has no requirement for a camera.
Looking into the apk I found references to cryptocurrency, including advertising a crypto exchange offering 18 types of cryptocurrency.
(the app is not in any category relating to cryptocurrency or banking)
In addition to this there are 2 face verification libraries.
FaceTec's two-second video-selfie verifies 3D Liveness, matches the user's 3D Face to their Photo ID, OCRs the Text on their ID, and sets up their new account.
Prooface is a facial biometrics technology that distinguishers honest users from masks, deepfakes, or look-alikes. This is done by creating a 3D FaceMap of each user that’s continuously referenced for verifying document uploads and login attempts.
Looking at the quotes above it seems these libraries allow the app to
- scan existing personal identity documents
- verify the user via a live selfie using 3D FaceMap
There are instructions on scanning birth cirtificates, passports, ID cards & recent bills in the code referencing KYC checks.
In addition there are entries relating to
Google Tensorflow Face Mesh
MediaPipe Facemesh is a lightweight machine learning pipeline predicting 486 3D facial landmarks to infer the approximate surface geometry of a human face
There are various references to cryptocurrency including offers & the suggestion this app serves as a secure wallet for storing cryptocurrency.
Here is an example of a push notification found in the code.
One offer suggests you could earn credit by completing KYC check (providing personal details & a selfie).
This seems a red flag as the ID information provided could allow impersonation of users. (eg: passport, photo, bills, name, dob, address)
There have been mobile apps in the past which serve dual functionality.
eg: children's game on App Store flips to online casino for users in Turkey
I reported this to Google Play on 11th May 2021 but have not heard anything back & the app is still available for users to download.
A few observations / opinions
- It's difficult to contact Google Play
- Permissions should relate to app function/category
- Permissions should be clear to user before downloading apps
- Libraries referenced should relate to app category
I would think biometric libraries relating to KYC like 3D facemap should trigger Google's Play Protect if the app is not in the banking category.
Know your customer
The know your customer or know your client (KYC) guidelines in financial services require that professionals make an effort to verify the identity, suitability, and risks involved with maintaining a business relationship
If you want to contact me regarding this article please leave a comment or email me using details in the contact section on the about page