New Malicious Android Apps Installed 10 Million Times From Google Play

A new batch of malicious Android apps filled with adware and malware have been found on the Google Play Store which have been installed nearly 10 million times on mobile devices.

The apps present themselves as image editing tools, virtual keyboards, system optimizers, wallpaper changers, and more. However, their underlying functionality is to deliver intrusive advertisements, subscribe users to premium services and steal victims’ social media accounts.


The discovery of these rogue apps comes from Dr. Web’s antivirus team, which highlighted the new threats in a report released today.

Google has removed the vast majority of featured apps, but at the time of writing, three apps remain available for download and installation through the Play Store.

Also, if you installed any of these apps before they were removed from the Play Store, you will still need to manually uninstall them from your device and run an AV scan to clean up the remnants.

The new malicious Android applications

Adware apps discovered by Dr. Web are modifications of existing families that first appeared on the Google Play Store in May 2022.

During installation, apps ask for permission to overlay windows on any app and can add themselves to the battery saver exclusion list so they can continue running in the background. plan when the victim closes the application.

Rogue apps requesting battery saver exclusion
Rogue apps requesting battery saver exclusion (Dr Web)

Additionally, they hide their icons in the app drawer or replace them with something resembling a core system component, like “SIM Toolkit”.

Attempt to trick users with icon replacement
Attempt to trick users with icon replacement (Dr Web)

The full list of adware apps can be found at the bottom of the article, but a notable example still on the Play Store is “Neon Theme Keyboard”, which has over a million downloads despite the 1.8-star rating and many negative reviews.

“This app ‘killed’ my phone. It kept crashing, I couldn’t even enter a password to unlock the phone and uninstall it. Eventually I had to do a full wipe (factory reset), to find the phone. DO NOT, install this app!!!!,” read a review of the app on the Google Play Store.

One of the adware hiding apps
One of the adware hiding apps

The second category of malicious apps found on the Play Store are Joker apps, which are known to incur fraudulent charges on victims’ mobile phone numbers by subscribing them to premium services.

Two of the apps listed, “Water Reminder” and “Yoga – For Beginner to Advanced,” are still on the Play Store, with 100,000 and 50,000 downloads respectively.

Two of the trojanized apps still on the Play Store
Two of the trojanized apps still on the Play Store

Both provide the functionality promised, but they also perform malicious actions in the background, interacting with invisible or blurry elements loaded through WebView and imposing charges on users.

Eventually Dr. Web highlights two distributed Facebook account thieves in image editing tools that apply cartoon filters on regular images.

These apps are “YouToon – AI Cartoon Effect” and “Pista – Cartoon Photo Effect”, which have been collectively downloaded over 1.5 million times through the Play Store.

Very popular image editor who is actually a Facebook stealer
Very popular image editor who is actually a Facebook stealer (Dr Web)

BleepingComputer has contacted Google about the malicious apps remaining on the Play Store, but has yet to hear back.

Stay safe on the Google Play Store

Android malware will always find a way to slip into the Google Play Store, and sometimes apps can stay there for months, so you shouldn’t blindly trust an app that can’t blindly trust any app.

For this reason, it is essential to check user reviews and ratings, visit the developer’s website, read the privacy policy, and pay attention to the permissions requested during installation.

Also, always consider whether the promised functionality is necessary for you, as keeping the number of apps on your phone to a minimum is a reliable way to reduce the risk of malware infections.

Finally, make sure Play Protect is active on your device and regularly monitor your internet data and battery consumption to identify any suspicious processes running in the background.

As mentioned earlier, users should also check if they have installed any of the following Android adware apps on their devices and if found, manually remove them and scan for viruses.

  • Photo Editor: Beauty Filter (gb.artfilter.tenvarnist)
  • Photo Editor: Retouch & Cutout (de.nineergysh.quickarttwo)
  • Photo Editor: Art Filters (gb.painnt.moonlightingnine)
  • Photo Editor – Design Maker (gb.twentynine.redaktoridea)
  • Photo editor and background eraser (de.photoground.twentysixshot)
  • Photo & Exif Editor (de.xnano.photoexifeditornine)
  • Photo Editor – Filter Effects (de.hitopgop.sixtyeightgx)
  • Photo filters and effects (de.sixtyonecollice.cameraroll)
  • Photo Editor: Blur Image (de.instgang.fiftyggfife)
  • Photo editor: Cut, Paste (de.fiftyninecamera.rollredactor)
  • Emoji Keyboard: Stickers and GIFs (gb.crazykey.sevenboard)
  • Neon Theme Keyboard (
  • Neon Theme – Android Keyboard (
  • Cashe Cleaner (
  • Fancy Charging (
  • FastCleaner: Cashe Cleaner (
  • Call Skins – Caller Themes (
  • Funny Caller (
  • callme phone themes (
  • InCall: Contact context (
  • MyCall – Call Personalization (
  • Caller theme (com.caller.theme.slow)
  • Caller theme (com.callertheme.firstref)
  • Funny Wallpapers – Live Screen (
  • Auto Wallpaper Changer 4K (de.andromo.ssfiftylivesixcc)
  • NewScrean: 4D Wallpapers (
  • Wallpapers and Backgrounds (de.stockeighty.onewallpapers)
  • Notes – reminders and lists (

Leave a Comment