Two spyware sending data of more than 1.5M users to China were found in Google Play Store

Two apps on the Google Play Store with more than 1.5 million downloads have been discovered spying on users and sending data to China.

Researchers from cybersecurity firm Pradeo discovered two malicious apps on Google Play hinding spyware and spying on up to 1.5 million users.

Both applications are file management apps from the same developer and have been discovered sending data to multiple servers in China.

The first app named “File Recovery and Data Recovery” (com.spot.music.filedate) has over 1 million installs, and the second one named “File Manager” (com.file.box.master.gkd) has over 500,000 installs.

“They are programmed to launch without users’ interaction, and to silently exfiltrate sensitive users’ data towards various malicious servers based in China. We have alerted Google of the discovery before publishing this alert.” reads the analysis published by Pradeo.

The two apps have been designed to steal a broad range of information, including users’ contact lists, media files (Pictures, audio and video contents), real-time location, mobile country code, network provider name, network code of the SIM provider, operating system version, device brand, and model.

The researchers noticed that both app perform more than a hundred transmissions of the collected data, which is unusual for modern spyware.

The two apps have a large number of users but no reviews, a circumstance that suggests the threat actors used an install farm or mobile device emulators to fake those numbers to increase the rank of the apps in the store.

• Media compiled in the application: Pictures, audio and video contents
• Real time user location
• Mobile country code
• Network provider name
• Network code of the SIM provider
• Operating system version number, which can lead to vulnerable system exploit like the Pegasus spyware did
• Device brand and model

The two apps have advanced permissions that allow them to hide their icons from the general view to make their uninstallation harder.

The two apps have been removed from the Google Play as confirmed by a company’s spokesman:

“These apps have been removed from Google Play. Google Play Protect protects users from apps known to contain this malware on Android devices with Google Play Services, even when those apps come from other sources outside of Play.” Google spokesperson told Security Sffairs.

Below are the recommendations provided by the experts:

First, we advise anyone using these applications to delete them.

As an individual

• Do not download applications that do not have any reviews while thousands of users.
• Read reviews when there are any, they usually reflect the applications true nature.
• Always carefully read permissions before accepting them.

As an organization

• Sensibilize collaborators on mobile threats.
• Automate mobile detection and response to offer a secure flexibility to users, by vetting applications and preventing their launch when non-compliant with your security policy.

The discovery at hand is not an isolated case. Unfortunately, in recent years, multiple malicious apps have been found available through the official Google Play Store, highlighting the need to refine the app analysis processes during the publishing phase and throughout the entire lifecycle within app stores. My recommendation is to only install applications that we are familiar with, published by reliable developers, and, most importantly, that we truly need.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Android)