Android App With Hidden Features

I stumbled upon an app which seems out of place & has many strange permissions.

The app is advertised as a way to check your user profile for a website.

The function of the app could be served by a PWA.

A few things which stood out with this app:

  • App size (100MB+)
  • Questionable Permissions
  • Strange App Reviews

Looking into the apk:

  • Offers Relating To Cryptocurrency
  • Face Verification Libraries
  • ID Scanning Libraries
  • Ability To Run On Device Start
  • Ability To Force Device On (Wakelock)

This raises some questions regarding Google Play.

I reported this to Google Play on 11th May 2021, App is still available for users to download

Permissions

  • Write System Settings
  • Run On Device Startup
  • Wakelock
  • Read & Write External Storage
  • Require Camera Present
  • Access Camera
  • Access Microphone

The functionality of the app on Google Play has no requirement for a camera.

Opening The APK

Looking into the apk I found references to cryptocurrency, including advertising a crypto exchange offering 18 types of cryptocurrency.
(the app is not in any category relating to cryptocurrency or banking)

In addition to this there are 2 face verification libraries.

Face Verification Libraries

  • com.facetec.zoom.sdk
  • com.sumsub.sns.prooface

FaceTec's two-second video-selfie verifies 3D Liveness, matches the user's 3D Face to their Photo ID, OCRs the Text on their ID, and sets up their new account.

Prooface is a facial biometrics technology that distinguishers honest users from masks, deepfakes, or look-alikes. This is done by creating a 3D FaceMap of each user that’s continuously referenced for verifying document uploads and login attempts.

Looking at the quotes above it seems these libraries allow the app to

  • scan existing personal identity documents
  • verify the user via a live selfie using 3D FaceMap

There are instructions on scanning birth cirtificates, passports, ID cards & recent bills in the code referencing KYC checks.

jadx-facemesh

In addition there are entries relating to faceMesh

Google Tensorflow Face Mesh

MediaPipe Facemesh is a lightweight machine learning pipeline predicting 486 3D facial landmarks to infer the approximate surface geometry of a human face

Cryptocurrency

There are various references to cryptocurrency including offers & the suggestion this app serves as a secure wallet for storing cryptocurrency.

Here is an example of a push notification found in the code.

AppName

inviting you to join $XXX Offering up to 18 different types of currencies,
$XXX’s crypto wallet is fast, safe, and secure

One offer suggests you could earn credit by completing KYC check (providing personal details & a selfie).
This seems a red flag as the ID information provided could allow impersonation of users. (eg: passport, photo, bills, name, dob, address)

There have been mobile apps in the past which serve dual functionality.
eg: children's game on App Store flips to online casino for users in Turkey

Notes

I reported this to Google Play on 11th May 2021 but have not heard anything back & the app is still available for users to download.

A few observations / opinions

  • It's difficult to contact Google Play
  • Permissions should relate to app function/category
  • Permissions should be clear to user before downloading apps
  • Libraries referenced should relate to app category

I would think biometric libraries relating to KYC like 3D facemap should trigger Google's Play Protect if the app is not in the banking category.

Know your customer

The know your customer or know your client (KYC) guidelines in financial services require that professionals make an effort to verify the identity, suitability, and risks involved with maintaining a business relationship

Tools Used

Contact

If you want to contact me regarding this article please leave a comment or email me using details in the contact section on the about page