Developed by Russian company Wireless Lab, FaceApp, an app that manipulates photos to make users look older, change their gender, hairstyle or makeup, has become a viral sensation.

Thanks to the “FaceApp challenge” in which users upload pictures of themselves artificially aged by 30 years using the app, it has soared in popularity over the last few weeks, with 12.7 million new users downloading the app since July 10th, according to Business Insider.

However, with its rapid rise in popularity, the app has raised a number of security fears, with many voicing concerns over the app’s terms of service. These focus on reports that the app has ownership of users’ photos, can access other images on devices and could even be used to create a database of images to be used in facial recognition.

Although the company’s founder, Yaroslav Goncharov has claimed that “most photos are deleted within 48 hours”,  this has not stopped many questioning the Russian company’s privacy policy.

However, whether these fears are unfounded or not, FaceApp may pose a security threat from another source outside the app itself.

FaceApp security issue: Copycat apps

According to research by ESET, the FaceApp has attracted a series of copycats, which could trick users into downloading malicious versions of the app.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

Searching ‘FaceApp’ on Google Play reveals a number of fake apps, which may contain malicious software, exploiting the popularity FaceApp and other successes such as Fortnite and Pokemon Go.

Researchers have found that attackers have developed “premium” versions of the app, in which scammers trick users into installing “other paid apps and subscriptions, ads and surveys”.

The victim also receives requests from various websites to allow the display of notifications. When enabled, these notifications lead to further fraudulent offers.

According to ESET researcher Lukáš Štefanko, there were 200-thousand stories online last Thursday about the fake and fictitious FaceApp Pro. One YouTube video about a fictitious version of the app had 150-thousand views, and its malicious links had been clicked over 90-thousand times.

Tom Lysemose Hansen, Promon CTO and founder warns users to be vigilant when downloading any app and ensure that it really is the official version:

“Despite being fun, viral apps like FaceApp open the door for a whole host of cybersecurity risks. Users must be aware in the coming weeks that plenty of malicious copycats, which masquerade as the original FaceApp, will be available to download for free on App Store and Google Play.

“Worryingly, from our own analysis, we have found that FaceApp lacks protection against ‘repackaging attacks’ which is when a hacker obtains a copy of an app and then adds malicious functionality before re-distributing to the app stores.”

“These hackers have two goals: to steal users’ personal data and to compromise their devices.

“Our advice to users is to always be vigilant when downloading any app and to ensure they download the official version. The biggest clue is always in the name of the developer attributed to an app, so if someone is unsure they should search the developer name online to check their credentials.”


Read more: NSO denies having spyware that can hack cloud servers.