• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Hunters International ransomware gang shuts down and offers free decryption keys to all victims

 | 

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

 | 

Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

 | 

North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates

 | 

Critical Sudo bugs expose major Linux distros to local Root exploits

 | 

Google fined $314M for misusing idle Android users' data

 | 

A flaw in Catwatchful spyware exposed logins of +62,000 users

 | 

China-linked group Houken hit French organizations using zero-days

 | 

Cybercriminals Target Brazil: 248,725 Exposed in CIEE One Data Breach

 | 

Europol shuts down Archetyp Market, longest-running dark web drug marketplace

 | 

Kelly Benefits data breach has impacted 550,000 people, and the situation continues to worsen as the investigation progresses

 | 

Cisco removed the backdoor account from its Unified Communications Manager

 | 

U.S. Sanctions Russia's Aeza Group for aiding crooks with bulletproof hosting

 | 

Qantas confirms customer data breach amid Scattered Spider attacks

 | 

CVE-2025-6554 is the fourth Chrome zero-day patched by Google in 2025

 | 

U.S. CISA adds TeleMessage TM SGNL flaws to its Known Exploited Vulnerabilities catalog

 | 

A sophisticated cyberattack hit the International Criminal Court

 | 

Esse Health data breach impacted 263,000 individuals

 | 

Europol dismantles €460M crypto scam targeting 5,000 victims worldwide

 | 

CISA and U.S. Agencies warn of ongoing Iranian cyber threats to critical infrastructure

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Hacking
  • Malware
  • Mobile
  • Security
  • Two spyware sending data of more than 1.5M users to China were found in Google Play Store

Two spyware sending data of more than 1.5M users to China were found in Google Play Store

Pierluigi Paganini July 09, 2023

Two apps on the Google Play Store with more than 1.5 million downloads have been discovered spying on users and sending data to China.

Researchers from cybersecurity firm Pradeo discovered two malicious apps on Google Play hinding spyware and spying on up to 1.5 million users.

Both applications are file management apps from the same developer and have been discovered sending data to multiple servers in China.

The first app named “File Recovery and Data Recovery” (com.spot.music.filedate) has over 1 million installs, and the second one named “File Manager” (com.file.box.master.gkd) has over 500,000 installs.

“They are programmed to launch without users’ interaction, and to silently exfiltrate sensitive users’ data towards various malicious servers based in China. We have alerted Google of the discovery before publishing this alert.” reads the analysis published by Pradeo.

Google Play spyware apps China

The two apps have been designed to steal a broad range of information, including users’ contact lists, media files (Pictures, audio and video contents), real-time location, mobile country code, network provider name, network code of the SIM provider, operating system version, device brand, and model.

The researchers noticed that both app perform more than a hundred transmissions of the collected data, which is unusual for modern spyware.

The two apps have a large number of users but no reviews, a circumstance that suggests the threat actors used an install farm or mobile device emulators to fake those numbers to increase the rank of the apps in the store.

  • Media compiled in the application: Pictures, audio and video contents
  • Real time user location
  • Mobile country code
  • Network provider name
  • Network code of the SIM provider
  • Operating system version number, which can lead to vulnerable system exploit like the Pegasus spyware did
  • Device brand and model

The two apps have advanced permissions that allow them to hide their icons from the general view to make their uninstallation harder.

The two apps have been removed from the Google Play as confirmed by a company’s spokesman:

“These apps have been removed from Google Play. Google Play Protect protects users from apps known to contain this malware on Android devices with Google Play Services, even when those apps come from other sources outside of Play.” Google spokesperson told Security Sffairs.

Below are the recommendations provided by the experts:

First, we advise anyone using these applications to delete them.

As an individual

  • Do not download applications that do not have any reviews while thousands of users.
  • Read reviews when there are any, they usually reflect the applications true nature.
  • Always carefully read permissions before accepting them.

As an organization

  • Sensibilize collaborators on mobile threats.
  • Automate mobile detection and response to offer a secure flexibility to users, by vetting applications and preventing their launch when non-compliant with your security policy.

The discovery at hand is not an isolated case. Unfortunately, in recent years, multiple malicious apps have been found available through the official Google Play Store, highlighting the need to refine the app analysis processes during the publishing phase and throughout the entire lifecycle within app stores. My recommendation is to only install applications that we are familiar with, published by reliable developers, and, most importantly, that we truly need.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Android)


facebook linkedin twitter

Android China Google Play Hacking hacking news information security news IT Information Security malware mobile Pierluigi Paganini Security Affairs Security News spyware

you might also like

Pierluigi Paganini July 06, 2025
Hunters International ransomware gang shuts down and offers free decryption keys to all victims
Read more
Pierluigi Paganini July 06, 2025
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Hunters International ransomware gang shuts down and offers free decryption keys to all victims

    Cyber Crime / July 06, 2025

    SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 52

    Security / July 06, 2025

    Security Affairs newsletter Round 531 by Pierluigi Paganini – INTERNATIONAL EDITION

    Breaking News / July 06, 2025

    North Korea-linked threat actors spread macOS NimDoor malware via fake Zoom updates

    Malware / July 05, 2025

    Critical Sudo bugs expose major Linux distros to local Root exploits

    Security / July 04, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT