China-Linked Spyware Found in Google Play Store Apps, 2m Downloads

Mobile security solutions provider Pradeo’s security researchers have shared details of the spyware they discovered hiding on the Google Play Store.

According to the report authored by Roxane Suau and published on July 6th, 2023, Pradeo’s behavior analysis engine recently detected two apps (File Recovery and Data Recovery, with 1 million installations, and File Manager, with 500,000 installations) containing hidden spyware, which may have impacted up to 1.5 million users.

Interestingly, both were created by the same developer. The malicious apps appeared to be harmless file management software, but in reality, they showcased malicious behaviour. These apps can self-launch without user interaction and secretly exfiltrate sensitive user data to several malicious servers in China.

China-Linked Spyware Found in Google Play Store Apps, 2m Downloads
Malicious apps (Pradeo)

What Data Did These Apps Collect?

The app profiles on the Google Play Store state that they don’t collect any data from the device, but according to Pradeo’s blog post, these are false claims. Research revealed that the apps collected highly personal data from their targets and transferred it to over one hundred different destinations, all of which were in China and were malicious.

The spyware apps collected the following data:

  • OS version number
  • Device brand/model
  • Real-time user location
  • Network provider’s name
  • SIM provider’s network code
  • Mobile phone’s country code
  • Pictures, video, and audio content
  • Device’s contact lists (all linked accounts, email and social networks)

How Do the Apps Trap Users?

The hacker has used various techniques to make these apps appear legitimate. For instance, spyware shows a large user base but doesn’t feature any reviews. Researchers believe that the hacker must have used mobile device emulators or installed farms to show huge numbers and improve the apps’ ranking on the store.

Another tactic is minimal user interaction since the apps can launch automatically when the system starts. So, they can continue their malicious operations even if the app isn’t in use. Also, these apps aren’t visible on the home screen, and their icon remains hidden to prevent uninstallation.

How to Stay Safe?

Although Google has removed these apps, if you have downloaded and installed them from a third-party store, delete them immediately and never download apps without any reviews, despite having a large user base. Also, don’t forget to go through their reviews, if there are any, to detect foul play.

Organizations should automate mobile detection and response by vetting apps and determining if they comply with their security policies.

  1. SmugX: Chinese Hackers Targeting Embassies in Europe
  2. New Vishing Attack Spreading FakeCalls Android Malware
  3. Chinese Malware Hits European Healthcare via USB Drives
  4. Goldoson Android Malware in 60 Apps with 100M Downloads
  5. Chinese Sharp Panda Group Unleashes SoulSearcher Malware
Related Posts