Two file management apps on the Android platform, with more than a million downloads combined, were actually infostealers that were sending harvested sensitive data to unknown entities in China.
Cybersecurity researchers from Pradeo uncovered and reported the apps, which were called File Recovery & Data Recovery, and File Manager. Both are built by the same developer, and while the former has roughly a million downloads, the latter has around 500,000.
Since then, Google removed the apps and reminded its users of the existence of Play Protect:
“These apps have been removed from Google Play. Google Play Protect protects users from apps known to contain this malware on Android devices with Google Play Services, even when those apps come from other sources outside of Play,” the company said in its announcement.
The apps displayed classic malware behavior: they harvest more data than they need to properly function, they hide their icons from the home screen so that users can’t easily find and remove them, and they don’t communicate clearly what they’re doing.
In this particular case, the data that was being exfiltrated to a server in China includes:
- Users’ contact list from on-device memory, connected email accounts, and social networks.
- Pictures, audio, and video that are managed or recovered from within the applications.
- Real-time user location
- Mobile country code
- Network provider name
- Network code of the SIM provider
- Operating system version number
- Device brand and model
Furthermore, Pradeo found the apps abusing given permissions in order to restart themselves when the endpoint is rebooted.
Analysis: Why does it matter?
Data is the “oil” of the 21st century. It’s being used by most companies to generate personalized offers, get more insight into user/customer behavior, and generate new revenue streams. In the last couple of years, as many companies started harvesting user data