Apps with 1.5M installs on Google Play send your data to China

Cyber Security Threat Summary:
“Security researchers discovered two malicious file management applications on Google Play with a collective installation count of over 1.5 million that collected excessive user data that goes well beyond what's needed to offer the promised functionality. The apps, both from the same publisher, can launch without any interaction from the user to steal sensitive data and send it to servers in China. Despite being reported to Google, the two apps continue to be available in Google Play at the time of publishing. File Recovery and Data Recovery, identified as ‘com[.]spot[.]music[.]filedate’ on devices, has at least 1 million installs. The install count for File Manager reads at least 500,000 and it can be identified on devices as ‘com[.]file[.]box[.]master[.]gkd’” (Bleeping Computer, 2023).

According to mobile security solutions company Pradeo, who uncovered the two applications, the apps once installed will exfiltrate the following data from the targeted device:

  • Users' contact list from on-device memory, connected email accounts, and social networks.
  • Pictures, audio, and video that are managed or recovered from within the applications.
  • Real-time user location
  • Mobile country code
  • Network provider name
  • Network code of the SIM provider
  • Operating system version number
  • Device brand and model
“While the apps might have a legitimate reason to collect some of the above to ensure good performance and compatibility, much of the collected data is not necessary for file management or data recovery functions. To make matters worse, this data is collected secretly and without gaining the user's consent” (Bleeping Computer, 2023).

Security Officer Comments:
To avoid detection, Pradeo says the apps will hide their home screen icons, making it difficult for users to install them all together. The applications will also abuse the permissions granted by the user to restart the device and launch in the background, further enabling persistence on the device. Thankfully, in an update from Google today, the company stated that it has removed the apps from the Google Play store.

Suggested Correction(s):
Before installing apps on the play store, users should check the reviews and double-check the requested permissions during app installation. Furthermore, users should only download software published by reputable developers and avoid installing applications on third-party sites as these could contain malicious payloads.

Link(s):
https://www.bleepingcomputer.com/