This Chinese company is secretly behind 24 popular apps seeking dangerous permissions

Jan Youngren
Jan Youngren | Security researcher
Last updated: October 20, 2020
Chinese company that’s secretly developing 24 popular apps

Shenzhen HAWK Internet Co., Ltd is a Chinese company that’s secretly developing 24 popular apps, totaling more than 382 million installs, with some apps containing malware and rogueware, and often participating in unethical practices.

Update (February 4): after our story was published, Zak Doffman at Forbes got in contact with Google, which swiftly removed all 24 apps in the Shenzhen network from the Play store. Google responded that they take reports of security and privacy violations seriously. “If we find behavior that violates our policies, we take action.” 

Update (February 5): Shenzhen Hawk’s mega parent company, TCL Corporation, has now responded, claiming that they understand Google’s actions in removing all of the Shenzhen apps and are “actively working with them to better understand their concerns.” They are also planning on hiring an outside security consultant that will audit each of their apps to offer their customers “peace of mind and trust”. 

When we analyzed the 23 companies secretly behind 100+ VPN products, we first saw the developer Hi Security pop up, which had 3 VPN products under its name. Then, when we analyzed the amount of dangerous permissions popular free antivirus apps were requesting, Hi Security popped up again.

Our interests piqued, we dug further and discovered something startling:

Chinese company called Shenzhen HAWK is secretly behind not just the app developer Hi Security, but also 4 other app developers, for a total of 24 apps with 382 million combined installs. Some of these apps are known for containing malware and rogueware.

First, there’s the malware-infected Weather Forecast app that harvested millions of users’ data and sent that to a server in China. The app also subscribed users to premium phone numbers, leading to large charges on those users’ phone bills. To make matters worse, the app would launch hidden browser windows and click on ads from certain web pages.

Recommended read: Celo VPN review

In another case, the Indian government in 2017 also warned its army and paramilitary members to delete Virus Cleaner from their phones because they were identified as being spyware or other malware. In 2018, default apps on Alcatel phones, developed by Shenzhen HAWK, were replaced by adware-riddled apps, frustrating users with loads of advertisements.

All of these affected apps, by the way, are still available to download on Google Play. Our research has uncovered that they’re also asking for a huge amount of dangerous permissions, potentially putting users’ private data at risk. These dangerous permissions include the ability to make calls, take pictures and record video, record audio, and much more.

Because Google has so far failed to remove these apps from the Play store, we recommend users take matters into their own hands and question whether they need these apps at all. If they provide no real benefit, we recommend deleting them from your phone as soon as possible.

apps secretly owned by Shenzen Hawk (TCL)

Shenzhen HAWK, TCL and China

On their company page, Shenzhen HAWK lists 13 apps as their products:

Shenzhen HAWK official lists of 13 apps as their products

Included on their page are these apps and the names of their developers listed in Google Play:

    1. Super Cleaner developed by Hawk App
    2. Hi Security developed by Hi Security
    3. Candy developed by ViewYeah Studio
    4. Super Battery developed by Hawk App
    5. Gallery developed by Alcatel Innovative Lab
    6. Hi VPN developed by Hi Security
    7. Net Master developed by Hi Security
    8. filemanager developed by mie-alcatel.support
    9. Apps (not in Google Play)
    10. Calculator (not in Google Play)
    11. Joy Recorder developed by mie-alcatel.support
    12. Weather developed by mie-alcatel.support
    13. Launcher developed by mie-alcatel.support

However, when we investigated each of the 5 app developers that create these apps, we discovered that there were actually 24 different apps in the Shenzhen HAWK network.

In their about page, Shenzhen HAWK lists itself as a wholly-owned subsidiary of the TCL Corporation, a major Chinese company also based in the Guangdong province

text information about shenzhen hawk - tcl

TCL Corporation has strong ties to the Chinese government, starting off in the early 2000s as a state-owned enterprise, and growing to be a large corporation through government support.

TCL Corporation has at least 52 subsidiaries around the world and owns the licensing rights to Alcatel, BlackBerry, and RCA, among others. It also has strong ties to the Chinese government, starting off in the early 2000s as a state-owned enterprise, and growing to be a large corporation through government support.

This can be quite problematic for privacy-seeking users: China is a defiantly repressive country with very strict data retention laws. It requires companies operating in China to store data on local servers and give unfettered access to those services to the authorities upon request.

 

China is also well-known for its strong desire for greater surveillance, both within its own borders and around the world.

But it’s not only the location that should be a worry for users.

It’s also the fact that Shenzhen HAWK has been exposed for serious privacy and security risks in the past.

Shenzhen HAWK’s spotty reputation

Some of Shenzhen HAWK’s apps have been in the news for issues related to malware, unethical practices, and inadequate privacy.

Alcatel apps secretly infecting phones with malware and adware

Since 2005, TCL Corporation has held the licensing rights for the Alcatel brand, and TCL’s subsidiary Shenzhen HAWK develops 7 apps made specifically for Alcatel phones.

ZDNet writes that one default Alcatel app, Weather Forecast, was compromised with malware, possibly infecting millions of users’ devices. According to the UK-based mobile security firm Upstream, the weather app harvested user data and sent it to a server in China.

The researchers noted that the app “collects and transmits geographic locations, email addresses, IMEIs to a server in China and has a number of privacy invasive permissions on the device.”

In certain countries, the malicious code inside the app would try to subscribe users to premium phone numbers without their knowledge, leading to large charges on users’ phone bills. In Brazil, for example, 2.5 million transaction attempts were made in July-August 2018 from about 130,000 phone numbers.

The weather app would also run in the background, secretly launching hidden browser windows and clicking on ads from certain web pages, surreptitiously using 50MB-250MB of data per day.

Furthermore, in early 2018, Alcatel phone users noticed that some Alcatel apps had been updated to include advertisements – lots of advertisements. Some default Alcatel apps, like Gallery, were changed to Candy Gallery, with a completely new app developer name listed.

According to Reddit users, five other default apps had also been replaced by ad-supported content. SlashGear went as far as to call these “adware”.

Hi Security app banned by Indian government

In 2017, India’s government gave warning to the army and paramilitary to delete a number of Chinese-origin apps from their phones. These 42 mobile apps were identified by the government’s intelligence agency as being spyware or other types of malware.

Included in that list is one app, Virus Cleaner 2019 – Antivirus, Cleaner & Booster developed by Hi Security, which is owned by Shenzhen HAWK.

Virus Cleaner 2019 has already been downloaded 50 million times, according to Google Play.

What permissions are Shenzhen HAWK apps asking for?

Let’s look at each dangerous permission to understand what the permissions allow the apps to do, as well as what kind of privacy and security risk that presents to the user. The list below is organized from most risky to least risky.

Dangerous permissionRisk levelPermission description
CAMERA: 6/24 apps requestedHIGHThis gives apps permission to access the device’s camera
CALL_PHONE: 2/24 apps requestedHIGHBy getting this permission, apps can make a call directly from the app, without the need to use the Dialer or needing confirmation from the user.
ACCESS_FINE_LOCATION: 15/24 apps requestedHIGHThis presents a high risk to privacy, since most apps don’t seem to need it at all. This permission allows apps to use GPS, cell data and/or wifi to get a user’s precise location.
READ_EXTERNAL_STORAGE: 15/24 apps requestedHIGHThis allows the app to read through your saved files, including system logs, other apps’ files, etc.
READ_PHONE_STATE: 14/24 apps requestedHIGHThis permission allows apps to gather information about a user’s phone: the phone number, cellular network information, connected registered phone accounts, and status of ongoing calls.
READ_CONTACTS: 2/24 apps requestedHIGHThis allows apps to look through your phone contacts.
RECORD_AUDIO: 1/24 apps requestedHIGHThis allows any app to record audio and store that audio either on the device or on the app servers.
ACCESS_COARSE_LOCATION: 13/24 apps requestedMEDIUMThis permission allows apps to gather a user’s general location via wifi and/or mobile cell data.
GET_ACCOUNTS: 9/24 apps requestedMEDIUMThis permission gives apps the ability to access a list of accounts in the Accounts Service.
WRITE_EXTERNAL_STORAGE: 21/24 apps requestedMEDIUMThis allows apps to upload files to users’ device storage.
READ_CALENDAR: 2/24 apps requestedMEDIUMThis allows the app the ability to read through your personal calendar.
WRITE_CALENDAR: 1/24 apps requestedMEDIUMThis allows apps to add events to your calendar.

Dangerous permissions by app

Not all Shenzhen HAWK apps are requesting more dangerous permissions than they need. For example, Word Crossy only asks for the ability to upload files to the device. However, Calendar Lite is asking for permission to read through users’ logs, even though it doesn’t require that function.

Table 2. Sample of dangerous permissions requests by 5 Shenzhen HAWK apps under different developer names.

App NameNo. of dangerous permissionsApp Permission name
Virus Cleaner 2019 – Antivirus, Cleaner & Booster

 

Google Play installs: 100 million
Developer: Hi Security

9
  • Access coarse location
  • Access fine location
  • Call phone
  • Camera
  • Get accounts
  • Read contacts
  • Read external storage
  • Write external storage
  • Read phone state
Candy Selfie Camera – Kawaii Photo, Beauty Plus Cam

 

Google Play installs: 10 million
Developer: ViewYeah Studio

8
  • Access coarse location
  • Access fine location
  • Camera
  • Get accounts
  • Read external storage
  • Read logs
  • Read phone state
  • Write external storage
Super Cleaner – Antivirus, Booster, Phone Cleaner

 

Google Play installs: 5 million
Developer: Hi Security

7
  • Access coarse location
  • Access fine location
  • Camera
  • Get accounts
  • Read external storage
  • Read phone state
  • Write external storage
Calendar Lite

 

Google Play installs: 5 million
Developer: mie-alcatel.support

7
  • Get accounts
  • Read calendar
  • Read contacts
  • Read external storage
  • Read logs
  • Read phone state
  • Write external storage
Sound Recorder: Recorder & Voice Changer Free

 

Google Play installs: 10 million
Developer: mie-alcatel.support

4
  • Camera
  • Read external storage
  • Record audio
  • Write external storage

From the table above, a lot of logical questions arise:

  • Why does an antivirus need to use the camera?
  • Why does a camera app need so many permissions, including the ability to read logs, read through their files, etc.?
  • Why does a sound recorder need to use a camera?

Reasons for unnecessary dangerous permissions

When looking through these dangerous permissions being requested by these apps, it’s important to understand why they’re requesting them in the first place.

Selling data

The most probable, and legal, reason why apps want a lot of permissions is to sell that data to third parties. The most lucrative is your location data: coarse and fine location, which can pinpoint your location to within a few yards.

Apps can send your location data 14,000 times per day, meaning they’ll have a very good idea of your everyday movements. They can even see which floor you’re on in a building. With this location data, apps can make a lot of money – one company pays developers $4/month for every 1,000 active monthly users.

If apps have 1,000,000 monthly users, that can equal $4,000 every month for app users’ location data.

Illegal uses

Less scrupulous app developers can use these permissions for their own illegal purposes, such as launching ransomware once users grant them special permissions. Others can use data from dangerous permissions to sell on the black market, including your contacts’ information, private messages, pictures, videos and more.

Unfortunately for Shenzhen HAWK, this isn’t theoretical. One of their apps, Weather Forecast, was caught collecting user data and sending it to a server in China.

Apps have been discovered using the call phone permission to make malicious phone calls, plus harvesting and sending data to a remote site.

There are quite a lot of financially lucrative things, legal or illegal, that app developers can do with user data.

Bottom line

Apps under the Shenzhen HAWK umbrella have a few critical issues that should give users pause:

  1. They have a history of malware, rogueware, or unethical practices
  2. They ask for a large amount of unnecessary dangerous permissions

Put together, users should seriously consider whether the perceived benefits will outweigh these serious negatives. In general, when selecting apps to use – and especially when giving them access to sensitive parts of your phone – users need to be very vigilant.

Apps that seem innocent may actually be sending phishing emails, reading and changing your files, selling your data, or much worse. After all, at the end of the day, you are the last line of defense against malicious software.

We strongly recommend to think about your online privacy and use a VPN to protect yourself. Our team gathered best VPN providers for you. In case paid software is not an option here are top free VPN services.

Listings of best VPN for:

Free VPN options for:

Check out our other research:

Disclaimer:
We meticulously research our stories and endeavor to present an accurate picture for our readers.  We’re also human, and if you believe we have made a factual error (as opposed to disagreeing with an opinion), please contact us so that we may investigate and either correct or confirm the facts. Please reach out to us using our Contact Us page.
4 comments
Leave a Reply

Your email address will not be published. Required fields are marked *


  1. bill

    I have a TCL tv. Where can I find a list of TCL servers to block on for my firewall?


  2. Ilaya

    Holy camoly! China is always involved in such things. VPNPRO, you are doing an amazing work here. All these researches really do help people like me to see what really is going on, be aware of situation and make certain actions. Kudos!


  3. Donald

    Does this mean that internet connected TCL electronics should be a cause for concern as well, since Shenzhen HAWK lists itself as a wholly-owned subsidiary of the TCL Corporation :/


  4. DC

    I have an android phone cost like $45-$50 AUD. This phone cooperates with OPTUS.

    They have the factory install software with”Joy Launcher, Candy Gallery, filemanager, weather …”
    That factory-installed software is hard to uninstall.

    I believe they have a more cheap phone for people to buy it outside. Before you login, you already have the spyware waiting for you on a cheap phone.

    Model Name: Optus X Spirit

    Hope this help.

Share
Share
Thanks for your opinion!
Your comment will be checked for spam and approved as soon as possible.