These aren't hypothetical risks.
These happened.
Each case below is a matter of public record — court filings, security firm reports, government agency findings, or direct Google Play Store enforcement actions.
Clean Master reached over one billion downloads — making it one of the most-installed Android apps of all time. In November 2018, Google banned Cheetah Mobile's apps from the Play Store after security researchers at Kochava documented a large-scale ad click fraud scheme.
Beyond the fraud: Clean Master requested access to contacts, call logs, location, camera, and microphone — permissions with no legitimate function in a "cleaning" app. The app ran persistent background services that collected behavioral data and reported it to Cheetah Mobile's ad network.
📎 Forbes — "Google Bans These Hugely Popular Apps From The Play Store Over Dangerous Ad Fraud" (2019)In September 2017, security researchers at Cisco Talos discovered that CCleaner — at the time distributed by Piriform — had been modified to include a backdoor before it was signed and published. The malicious version was downloaded by approximately 2.27 million users before the attack was discovered.
The US Department of Justice later linked the attack to APT-41, a Chinese state-sponsored hacking group. The secondary payload specifically targeted technology and telecom companies for long-term espionage — Samsung, Sony, Intel, Microsoft, and others were identified as targets. Users who installed CCleaner during the window of August–September 2017 were potentially compromised without any action on their part.
📎 Cisco Talos — "CCleanup: A Vast Number of Machines at Risk" (2017)In 2022, researchers at Dr. Web and McAfee documented over 13 apps marketed as phone cleaners, speed boosters, and battery optimizers that contained embedded malware — including spyware components, aggressive adware, and clicker trojans designed to generate fraudulent ad revenue.
| App Name | Threat Type | Install Count |
|---|---|---|
| Junk Cleaner | Adware + Clicker | 1M+ |
| EasyCleaner | Data Harvester | 100K+ |
| Power Doctor | Adware + Clicker | 500K+ |
| Super Clean | Spyware payload | 500K+ |
| Full Clean – Clean Cache | Adware + Fraud | 1M+ |
| Finger Cleaner | Adware | 500K+ |
| + 8 others | Various | — |
Both AVG Cleaner and Norton Clean were discontinued — not because of scandal, but because modern Android versions made their stated purpose impossible to fulfill. Starting with Android 8 (Oreo), Google removed the API that allowed apps to clear other apps' caches. After that change, cleaner apps literally could not clean caches.
Reputable antivirus companies chose to shut down their cleaners rather than continue shipping software that didn't work. Less reputable companies kept shipping — and pivoted to data collection to generate revenue from their installed user bases.
Six tactics designed to keep you locked in
Each of these is a deliberate design choice — not a side effect, not an accident. The goal is maximum access, maximum retention, and minimum chance of removal.
Your phone already manages memory.
It does not need help.
The core pitch of every cleaner app — that your phone is accumulating dangerous "junk" that needs to be manually purged — is false. Here's how Android actually works.
🔬 Android's automatic memory management
Android uses a low-memory killer (LMK) that automatically terminates background processes when RAM is needed. It prioritizes foreground apps and gracefully reclaims memory from inactive processes. This is a core OS function — it runs continuously without any user intervention, and no third-party app can do it better or faster.
💾 Cache is not "junk"
App caches are stored intentionally — they make your apps load faster. Clearing them doesn't free up meaningful storage in most cases, and the cache rebuilds immediately the next time you use the app. The OS automatically evicts old cache files when storage gets low. Manually clearing caches makes your apps slower, not faster.
🚫 The API that made this possible was removed in 2017
Android 8 (Oreo) removed the clearApplicationUserData()
API that allowed one app to clear another app's cache.
This means any cleaner app installed on Android 8 or newer physically cannot clear
other apps' caches — regardless of what its UI shows. The numbers you see are invented.
"Task killers and RAM boosters do nothing useful on modern Android. RAM that's not being used is wasted RAM. Android's memory management is mature and does this automatically. Apps that claim to do it for you are at best useless, at worst actively harmful."
This isn't a bug. It's the business model.
When you look at cleaner apps as a category — not individual apps — a single repeating structure emerges. It is not a coincidence. It is a formula.
The Spyware Delivery Formula
Whether the original intent was malicious or commercial, the end state is the same: a persistent process with broad device access that reports user behavior to remote servers, serves ads, and resists removal. By design or by drift, that is spyware.
This is not a fringe opinion.
The cybersecurity community has been consistent on cleaner apps for years. These are not influencer opinions — these are researchers and organizations whose job is to analyze threats objectively.
"Security software that asks for more permissions than necessary is not security software — it is the threat. The business model of many mobile security and optimization apps is the collection and monetization of user data. The security branding is marketing."
"We've tested dozens of these apps. The pattern is consistent: they request permissions far beyond what any legitimate optimization task requires, they run persistent background services, and they send device data to advertising SDKs. The cleaning is cosmetic. The data collection is real."
"A number of apps in the 'phone optimizer' category have been observed bundling adware and spyware components. Users are attracted by the legitimate-sounding premise and install without reading permissions. The attack surface created by granting these apps Device Administrator and Accessibility access is substantial."
"The EFF recommends users remove any app that requests administrative device control without a clear, verifiable reason — particularly apps in the 'optimizer' or 'cleaner' category. These permission requests are a significant privacy red flag."
🔍 One honest test you can do right now
Open the cleaner app on your phone. Go to its permission settings. Count how many permissions it has requested. For each one, ask: "What specific cleaning task requires access to my [contacts / microphone / camera / location / call logs]?" If you cannot answer that question, the permission is not there for cleaning. It's there for something else.
SlamDoor it — see what's actually on your phone
SlamDoor shows you every pre-installed app on your phone — what it does, what permissions it has, and whether to keep it or remove it. No speculation. No scare tactics. Just the facts.
Scan My Phone →Free · No account required · Takes 30 seconds