Two file management apps on the Android platform, with more than a million downloads combined, were actually infostealers that were sending harvested sensitive data to unknown entities in China.
Cybersecurity researchers from Pradeo uncovered and reported the apps, which were called File Recovery & Data Recovery, and File Manager. Both are built by the same developer, and while the former has roughly a million downloads, the latter has around 500,000.
Since then, Google removed the apps and reminded its users of the existence of Play Protect:
“These apps have been removed from Google Play. Google Play Protect protects users from apps known to contain this malware on Android devices with Google Play Services, even when those apps come from other sources outside of Play,” the company said in its announcement.
The apps displayed classic malware behavior: they harvest more data than they need to properly function, they hide their icons from the home screen so that users can’t easily find and remove them, and they don’t communicate clearly what they’re doing.
In this particular case, the data that was being exfiltrated to a server in China includes:
- Users’ contact list from on-device memory, connected email accounts, and social networks.
- Pictures, audio, and video that are managed or recovered from within the applications.
- Real-time user location
- Mobile country code
- Network provider name
- Network code of the SIM provider
- Operating system version number
- Device brand and model
Furthermore, Pradeo found the apps abusing given permissions in order to restart themselves when the endpoint is rebooted.
Analysis: Why does it matter?
Data is the “oil” of the 21st century. It’s being used by most companies to generate personalized offers, get more insight into user/customer behavior, and generate new revenue streams. In the last couple of years, as many companies started harvesting user data in various, often unscrupulous ways, awareness about the importance of user privacy grew. At the same time, legislators and law enforcement pressured companies into disclosing more information on how they generate, store, safeguard, and share customer data, and forced them into being more diligent in that respect.
At the end of the day, the EU’s General Data Protection Regulation does just that.
But laws and regulations never stopped cybercriminals. These are still engaged in data theft on a daily basis, as it allows them multiple new avenues of attack: identity theft, wire fraud, ransomware, business email compromise, and more.
Nation-states are also engaged in constant cyberattacks, including data theft. Chinese, Iranian, North Korean, and Russian hackers are notorious for their ransomware campaigns, as well as data theft, which is often part of a wider espionage effort.
Some Western nations and diplomats, led by the Trump administration, were loud in accusing China of using its companies as proxies for its espionage and data theft efforts. As a result, Huawei was heavily scrutinized in the West, and subsequently banned from developing and building out 5G infrastructure.
Huawei, as well as the Chinese government, vehemently denied these allegations, saying they were baseless and that they have no intention of attacking their Western peers in the digital realm. Huawei has even called for Western auditors to review its products and services to ensure no backdoors or data exfiltration techniques were included.
It didn’t work. Most major tech companies don’t operate in China. Google, for example, pulled out, leaving Huawei to develop its own mobile operating system, called HarmonyOS.
What have others said about Chinese espionage?
Those who have been following the cybersecurity industry know that China is no stranger to cybercrime, and that its threat actors have been caught in the act numerous times. In a February 2022 writeup, MIT’s Technology Review delved deep into Daxin, “the stealthy back door” that was used in “espionage operations against governments around the world for a decade before it was caught.”
MIT’s authors further stated that Daxin isn’t a “one-off”, but rather another sign of China’s “decade-long quest to become a cyber superpower.”
“While Beijing’s hackers were once known for simple smash-and-grab operations, the country is now among the best in the world thanks to a strategy of tightened control, big spending, and an infrastructure for feeding hacking tools to the government that is unlike anything else in the world.”
In June this year, at an appearance at the Aspen Institute in Washington, D.C, CISA director Jen Easterly said China is a “real threat” that the West needs to be prepared for, CNBC reported. Easterly was responding to a question about the recently disclosed Chinese infiltration of U.S. military and private sector infrastructure.
Easterly described China’s cyber-espionage and sabotage capabilities as an “epoch-defining threat” saying that in the event of open warfare “aggressive cyber operations” would threaten critical U.S. transportation infrastructure “to induce societal panic.”
In late May this year, western intelligence agencies, together with Microsoft, warned of a Chinese state-sponsored hacking group spying on a wide range of US critical infrastructure organizations.
If you want to learn more about staying safe online, make sure to read our in-depth guide on the best firewalls, as well as best antivirus programs. Also, read our best data loss prevention guide, as well as what is zero trust network access.