We uncovered a secret network of 27 app developers in the Google Play store

Our new research discovered that there’s a secret group of at least 27 app developers, with 101 apps in total for a combined 69 million installs, that seem to be connected, copying each others’ apps, stealing apps from popular developers, and committing other fraud.

There’s much about this strange network that is unknown. Because they seem to share what’s become our initial connection – their app developer names consist of two parts, mostly Western names – we’ve termed this group as a two-name app developer network, or 2NAD for short. Besides the names, we’ve discovered that: 

• These apps are asking for an immense amount of dangerous permissions that unnecessarily put users’ risk in danger
• These 2NAD developers have the same Privacy Policy, copies of which are all published on Google Docs. 
• The websites listed for each app are all based on the same incomplete Firebase “website,” all with the same URL structure. The link to the website is a shortened bit.ly link 
• When we looked at the APKs, there were obvious duplicates between the 2NAD network
• Some APKs were clearly stolen from other, more popular app developers outside the 2NAD network
• When comparing these duplicate or stolen apps side-by-side, the duplication becomes easy to see

Below, we go through each connection with detailed proofs. In general, however, there’s a huge problem with this. First of all, duplicating each others’ apps, or stealing other developers’ apps, is certainly against Google’s Android policies.

Additionally, these apps are also violating other Android policies, which include 

• Misrepresentation, since they mislead their users and participate in a “coordinated activity to mislead users.” 
• Repetitive Content, which doesn’t allow apps that have highly similar (in our research, nearly 100% similar) functions, content and user experience.  
• Made for Ads policy, which doesn’t allow apps whose primary purpose is just to serve ads

Beyond that, it is bad for the user, since cloned/stolen apps may, in the best case scenario, provide users with a poor user experience, especially when it’s flooded with ads. In the worst case scenario, these apps can later become vehicles for malicious purposes, including stolen data or other malware.

For that reason, we recommend deleting any of the 101 apps found within the 2NAD network.

About this research

In order to carry out this research, we looked at suspicious apps that met our first connection. After that, we filtered apps based on whether they share one of the other connections. Data was gathered in January 2020. Since that time, some app names may have changed, and apps may have been removed from the Play store for various reasons.