A recent Buzzfeed article points out that several popular Android apps available on the Google Play Store have been collecting and storing sensitive user data without encryption or permission.




This particular instance is more alarming than previous—not only are some of the most-downloaded apps on the Google Play Store implicated in the report, they also happen to be developed by Chinese companies that may be sharing collected data with the Chinese government.

Which apps to delete right away

These are the apps that have been implicated in Buzzfeed’s investigation. If you have any of these installed on your phone, delete them now:

Selfie Camera

Total Cleaner

Smart Cooler

RAM Master

AIO Flashlight

Omni Cleaner

WaWaYaYa

Emoji Flashlight

Samsung TV Remote Control (via Peel Technologies, Inc.)

How to avoid apps like these

Don’t feel bad if yours were among the nearly 100 million combined downloads for these apps. The developers obfuscated otherwise damning information—such as country of origin and the company who owns the app—that would normally raise red flags.


However, as Buzzfeed’s investigation points out, each app asked for way too many app permissions, including “dangerous” permissions like location data, access to phone sensors, or personal contact information. This is an indicator of a suspicious app.

Google blacklisted six of the above apps—Selfie Camera, Total Cleaner, Smart Cooler, RAm Master, AIO Flashlight, and Omni Cleaner—in response to Buzzfeed’s reporting, and updated how it will evaluate permissions and developer accounts going forward, but even so, it seems to be far too easy for malicious developers to dupe the Google Play Store.

Here are our recommendations for staying smart about your app downloads:

Use a trusted mobile anti-virus

Don’t download apps with overwhelmingly poor reviews.

Furthermore, pay attention to what the reviews are actually saying; companies can inflate their ratings with fake reviews to drown out the negative ones. If you see any reviews calling out shady behavior, false advertising, etc., steer clear.

Look out for apps with a high number of permissions, or permissions that don’t make sense for the app. For example, the AIO Flashlight app asked for 31 total permissions. No legit flashlight app requires anywhere near that many in order to run.

Review an app or app developer’s security policy. This can often be found with a quick web search if none is openly provided. If the policy seems flimsy, is hosted from a dubious location (like Selfie Camera’s random Tumblr page

In general, do not download apps from devs you don’t recognize. If you do, search the app online and seek out professional reviews and user feedback from tech sites and forums.

Be extremely cautious when downloading APK files from unofficial sources.

An app may pass several of the above parameters, but utterly fail others. For example, the Selfie Camera app boasted a 4.5-star rating on Google Play and had over 50 million downloads, yet it was asking for 50 permissions and its privacy policy was hidden on an unrelated Tumblr blog. It’s the perfect example of why any third-party apps from developers you don’t already trust need to be scrutinized.