The Information Highway

The Information Highway

Font size: +
2 minutes reading time (476 words)

Apps with 1.5M installs on Google Play send your data to China

Security researchers discovered two malicious file management applications on Google Play with a collective installation count of over 1.5 million that collected excessive user data that goes well beyond what's needed to offer the promised functionality. 

 The apps, both from the same publisher, can launch without any interaction from the user to steal sensitive data and send it to servers in China.

Despite being reported to Google, the two apps continue to be available in Google Play at the time of publishing.


Malicious apps still in Google Play (BleepingComputer)


File Recovery and Data Recovery, identified as "com.spot.music.filedate" on devices, has at least 1 million installs. The install count for File Manager reads at least 500,000 and it can be identified on devices as "com.file.box.master.gkd."

The two apps were discovered by the behavioral analysis engine from mobile security solutions company Pradeo and their description states that they do not collect any user data from the device on the Data Safety section of their Google Play entry. 


Data collection declaration on Google Play (BleepingComputer)


However, Pradeo found that the mobile apps exfiltrate the following data from the device:

  • Users' contact list from on-device memory, connected email accounts, and social networks.
  • Pictures, audio, and video that are managed or recovered from within the applications.
  • Real-time user location
  • Mobile country code
  • Network provider name
  • Network code of the SIM provider
  • Operating system version number
  • Device brand and model

While the apps might have a legitimate reason to collect some of the above to ensure good performance and compatibility, much of the collected data is not necessary for file management or data recovery functions. To make matters worse, this data is collected secretly and without gaining the user's consent.

Pradeo adds that the two apps hide their home screen icons to make it more difficult to find and remove them. They can also abuse the permissions the user approves during installation to restart the device and launch in the background.

It is likely that the publisher used emulators or install farms to bloat popularity and make their products appear more trustworthy, Pradeo speculates.

This theory is supported by the fact that the number of user reviews on the Play store is way too small compared to the reported userbase.

It is always recommended to check user reviews before installing an app, pay attention to the requested permissions during app installation, and only trust software published by reputable developers. 

"These apps have been removed from Google Play. Google Play Protect protects users from apps known to contain this malware on Android devices with Google Play Services, even when those apps come from other sources outside of Play."

by Google
Charming Kitten hackers use new ‘NokNok’ malware f...
Nickelodeon investigates breach after leak of 'dec...

Related Posts

 

Comments

No comments made yet. Be the first to submit a comment
Monday, 23 December 2024

Captcha Image

Top Breaches Of 2023

Customers Affected In T-Mobile Breach
Accounts Affected In MOVEit Breach
Customers Affected In MCNA Insurance Data Breach
Individuals Affected In PharMerica Data Breach
Users Affected In ChatGPT Major Data Breach
*Founder Shield End of Year 2023