Huawei AppGallery is already filled with fake and stolen applications

From EMUI.

While Huawei’s call to developers to bring their apps to AppGallery has partially worked, this has also filled the store with fake and stolen applications.

Artículo disponible en Español | Article disponible en Français

[Updated 31/10/2019]

Huawei has been inciting developers to bring their applications to the Huawei AppGallery for a while, especially following the US ban and the company being placed on the “entity list”. While this has mostly worked, with dozens of popular applications having recently launched on the store, a surprising number of fake or stolen applications have also surfaced on the store, all published by a few developers.

This is most likely due to an insufficient vetting process on Huawei’s side, as too many applications use the name and even the icon of popular applications to induce users in error. Of course, it is quite easy to tell they are fake, as, from the screenshots, they look nothing like the real ones, and the developer is always some unknown person or company. Sadly, not every user is capable of realizing this, especially seeing the number of downloads and how some of these apps are top ranked on Huawei’s AppGallery.

Fake or misleading applications vary in type, with some using the brand’s logo and name, while others go as far as using the logo, description and even screenshots of the original application, to pass their app as another popular one. Sure, it is possible to report the application through the option given by AppGallery, but the reporting function is too limited and does not allow to include a reason to why this report, as can be seen on the following screenshots:

The most blatant case of a fake application we’ve encountered is “Mario Kart Tour – Car Race”, which, as previously mentioned, uses the name, icon, screenshots and description of a popular, recent game from Nintendo, while offering a completely different game on launch, “Happy Superman Car Transform Racing”. The game is obviously stuffed with advertisements, the goal being making as much money as possible before the user inevitably uninstalls the application upon finding out it’s not the advertised one:

Thankfully, the application is now gone, likely due to the number of users reporting it.

Fake applications-wise, we haven’t seen anything else blatant. But what can be easily found are applications using the logo and name of a popular service, adding something else to the title and maybe even slightly changing the logo to keep the resemblance but still be different enough. For instance, this is the case with “Netflix tips”, “Snapchat tips”, “Mario Kart Tips”, “Free Music – Spotify Alternative” (this one is literally a YouTube music browser), “Messenger” (which uses a similar logo to Facebook’s Messenger and the same name but is an entirely different service) and “Call of Duty Tips”. Many of these “Tips” apps come from the same dev, which is unsurprising. We also see the typical garbage applications coming to the store, such as “CleanMaster” from the famous Chinese developer “Cheetah Mobile”. Here are some examples of these apps in question, from multiple different developers:

We then have a rather surprising but also unsurprising case of what would seem mass abuse. The developer behind the “Mario Kart Tour – Car Race” scam has also submitted around 100 other games to Huawei’s AppGallery, although, searching for those on Google’s Play Store reveals all these applications have been developed by multiple other developers. This opens two possibilities: either this developer, “DI TE SAF”, is a company that facilitates distribution of applications through multiple channels, or the “developer” has downloaded a bunch of APKs of random games and submitted them to Huawei’s AppGallery, which, for some reason, has accepted all of them without further checks. Seeing as “Mario Kart Tips – Car Race” was essentially a scam, we are leaning towards this second option, and considering this as the first major AppGallery abuse so far. Because, if Huawei does not change the way they accept applications and place some kind of measures to stop this from happening, multiple other scummy people will take advantage of the platform and users, ruining it and its reputation before it has the opportunity to strengthen its market position. We’ve reported this case to Huawei, and will wait to hear back from them, before eventually contacting some of the affected developers so they can actually confirm (or deny) being involved with this “developer” and take further action. Seeing how quickly Huawei removed “Mario Kart Tour – Car Race” once reported, there’s some hope that this developer will have his account banned. Here’s the massive list of games published by “DI TE SAF”:

This is indeed the complete list of this specific developer’s applications. We’ve counted between 100 to 130 of them, which is an unrealistic amount of applications for anybody, even medium to large companies, unless they are game publishers.

And here are some of the applications, but on the Google Play Store, which are all listed under different names. We’ve selected easy to find applications, as some of them are too generic:

We have been unable to identify quite a few of the applications, as the “developer” has sometimes not only changed the application name and part of the description, but also used a different icon or different screenshots, likely to try and make it harder to find the original games. Sadly, at this point, there is little to no doubt that whoever submitted all these applications is a scammer. Checking their privacy policy does not reveal much, as it includes no address. But we do learn one thing: the scammer in question thought he was being clever by putting his privacy policy on a different site, “qoqo.fun”, which he also owns (being a WordPress website). Sadly, he has taken the necessary precautions when registering the domain, as we are unable to see the registrant name on WHOIS.

Things don’t improve with the following developer. From the looks of it, this person also applies some of the techniques from the first one, such as using different icons or screenshots to try and make it harder to figure out the application is not his:

A quick look at some of the games on the Google Play Store return the following results:

Yes, initially we only intended to check a few of them, but ended up figuring out all of them. And because we know our evidence will eventually disappear, here’s a screenshot of every single one of the games of this dev. For us, there’s no doubt this person has just stolen a bunch of games from a website such as APK Pure and submitted them to Huawei’s AppGallery. In many cases, we don’t even know which game we are getting, although it’s likely it’ll be some random one and maybe not even the advertised one. The fact some of these applications used to be on Google’s Play Store (those from STJ Games) but have since been removed is even weirder, although it wouldn’t be unsurprising if this was due to STJ Games breaking Google’s rules in some way.

For the developer in question, we have no doubt it is another scammer, especially after checking out the Privacy Policy of “OSIC TECHNOLOGY CO., LTD.”, who literally posted this one on a free Blogger page with a mistake in the title, saying “privcy policy”. Furthermore, this Privacy Policy does not include any kind of address or way of contacting the “developer”.

Have you checked our… privcy policy?

Just by seeing how easily we’ve found all this information, Huawei could easily implement some basic measures to stop such blatant abuse from a few developers:

  • If the developer has already published the application on another store, such as Apple’s App Store or Google’s Play Store, the developer should link to this to double-check if that’s the case (only viewable to Huawei employees).
  • Huawei should run the screenshots, app name and icon through Google’s image search or a similar option, such as TinEye, to see if the images/name correspond to some other game or not.
  • Developers should be forced to post their Privacy Policy on a registered website with a proper domain, and not be allowed to use free options such as Blogger or literally a Google Docs document. Yes, we’ve seen a few doing this.
  • Furthermore, developers should be forced to include an address, company name and registration number, as well as a contact e-mail, in their privacy policy.

Concerning Google Docs. Here are two developers using Google Docs to post their Privacy Policy, a genius move, as this allows them to save money on a domain name and website. Of course, these developers only list a Gmail address to contact them, but no address, no proper company name or country of registration, nothing. Even worse, none of the developers mentioned in this article seem to have a proper website or even actually exist. While a Google search of their names does return some results, none of those results is concluding enough. The first one using Google Docs for his privacy policy is “Mena Limited”:

The second one is “iMate Games”:

Regardless, while it is sad to see how AppGallery is being filled with stolen and low-quality applications, at least the store has also been getting quite a lot of popular apps, as we’ve seen in our past article on the matter. We hope Huawei will soon address these issues and eventually ban the few developers mentioned here, while also putting in place a stricter vetting process overall.

Update 31/10/2019: We’ve received a response to our e-mail. Huawei’s customer service has indicated they’ve forwarded this information to the relevant service to review and investigate the situation. We’ll keep an eye on how things go.

More on this subject:​