Researchers from cybersecurity firm Pradeo discovered two malicious apps on Google Play hinding spyware and spying on up to 1.5 million users.
Both applications are file management apps from the same developer and have been discovered sending data to multiple servers in China.
The first app named “File Recovery and Data Recovery” (com.spot.music.filedate) has over 1 million installs, and the second one named “File Manager” (com.file.box.master.gkd) has over 500,000 installs.
“They are programmed to launch without users’ interaction, and to silently exfiltrate sensitive users’ data towards various malicious servers based in China. We have alerted Google of the discovery before publishing this alert.” reads the analysis published by Pradeo.
The two apps have been designed to steal a broad range of information, including users’ contact lists, media files (Pictures, audio and video contents), real-time location, mobile country code, network provider name, network code of the SIM provider, operating system version, device brand, and model.
The researchers noticed that both app perform more than a hundred transmissions of the collected data, which is unusual for modern spyware.
The two apps have a large number of users but no reviews, a circumstance that suggests the threat actors used an install farm or mobile device emulators to fake those numbers to increase the rank of the apps in the store.
The two apps have advanced permissions that allow them to hide their icons from the general view to make their uninstallation harder.
The two apps have been removed from the Google Play as confirmed by a company’s spokesman:
“These apps have been removed from Google Play. Google Play Protect protects users from apps known to contain this malware on Android devices with Google Play Services, even when those apps come from other sources outside of Play.” Google spokesperson told Security Sffairs.
Below are the recommendations provided by the experts:
First, we advise anyone using these applications to delete them.
As an individual
As an organization
The discovery at hand is not an isolated case. Unfortunately, in recent years, multiple malicious apps have been found available through the official Google Play Store, highlighting the need to refine the app analysis processes during the publishing phase and throughout the entire lifecycle within app stores. My recommendation is to only install applications that we are familiar with, published by reliable developers, and, most importantly, that we truly need.
(SecurityAffairs – hacking, Android)