Mobile Security Case Study

Analyzing Android Cleaner Apps

A mobile security research project analyzing Android cleaner applications that advertised device optimization but showed signs of ad fraud, permission abuse, persistence, credential exposure, and fake functionality.

View Findings Download Research

Overview

Project goal

This project examined Android “cleaner” apps, applications that claim to free storage, improve RAM usage, cool the CPU, save battery, or provide security protection. The goal was to determine what permissions these apps requested, whether any were malicious, and what suspicious behaviors appeared during static and dynamic analysis.

Methodology

How the apps were analyzed

App Selection

The team selected 20 Android cleaner apps from APKPure, with each app claiming to perform some type of phone cleaning or optimization.

Static Analysis

MobSF was used to review permissions, Android API usage, trackers, exported components, anti-analysis checks, and security scores.

Dynamic Analysis

VirusTotal, sandbox behavior, packet capture, ADB installation, and physical Android testing were used to observe runtime behavior.

Key Findings

Cleaner apps were often not clean at all

Permission Abuse

Many apps requested dangerous permissions that were excessive for a simple cleaner, including storage, account, phone state, system settings, and package installation permissions.

Anti-Analysis Behavior

The project found widespread use of anti-VM and anti-debugging checks, suggesting that some apps were designed to resist inspection.

Ad Fraud Patterns

Several apps used hidden ads, transparent activities, background services, or fake engagement flows to generate advertising revenue.

Fake Optimization

Some “cleaning” buttons only triggered animations, random numbers, or success messages instead of performing meaningful system cleanup.

Credential Exposure

One app exposed a publicly accessible Firebase database containing sensitive VPN configuration data, plaintext credentials, certificates, and keys.

Persistence

Several behaviors supported persistence, including boot receivers, background services, notification abuse, and activity tricks designed to keep the app active.

Technical Deep Dive

Notable app behaviors

Critical

DU Speed Booster: Public Firebase Exposure

DU Speed Booster contained a hardcoded Firebase database URL that exposed VPN configuration files, plaintext usernames and passwords, OpenVPN certificates, private keys, and TLS authentication secrets.

High

DU Speed Booster: Dynamic Code Loading

The app used DexClassLoader to load additional executable code after installation, allowing behavior to change after static review and making analysis more difficult.

High

SpeedClean: Background Ad Activity

SpeedClean used receivers and activities to trigger ad behavior during screen-off and unlock events, including a 1x1 pixel activity and transparent ad display flows.

Medium

Fingertip Cleaner: Fake Buttons and HiddenAds Behavior

Fingertip Cleaner presented fake cleaner functionality, used misleading UI flows, requested excessive permissions, and showed behavior aligned with HiddenAds-style adware.

Medium

Meteor Clean: Suspicious Permission Use

Meteor Clean showed communication with suspicious infrastructure and contained code related to audio recording, location collection, root checks, silent SMS, and silent installation behavior.

Security Skills Demonstrated

What this project shows

1

Static Analysis

Reviewed APK manifests, permissions, exported components, trackers, obfuscation, and suspicious API usage.

2

Dynamic Testing

Installed APKs in controlled environments and monitored behavior using physical Android testing and packet capture.

3

Threat Research

Connected findings to adware, HiddenAds behavior, dynamic code loading, suspicious permissions, and credential exposure.

4

Risk Communication

Translated technical evidence into clear findings, user impact, and defensive recommendations.

Detection Perspective

How defenders could monitor this behavior

Permission Risk Scoring

Flag apps requesting dangerous permissions that do not align with the stated purpose of the application.

Network Anomalies

Monitor background traffic to ad networks, suspicious domains, public database endpoints, and unexpected infrastructure.

Runtime Behavior

Detect hidden WebViews, transparent activities, boot receivers, dynamic code loading, and background service persistence.

Research Artifacts

Full paper and presentation

Research Paper

Full written report covering background, methodology, statistical findings, app-specific analysis, future work, conclusion, and citations.

View Paper

Presentation Deck

Slide deck summarizing cleaner app risks, methodology, key findings, app deep dives, and recommendations.

Download PPTX

Project Takeaway

Cleaner apps can act as privacy and security risks by combining fake utility features with permissions abuse, ad fraud, persistence, and hidden behavior.