Two spyware applications posing as file management tools have been discovered on the Google Play Store with a total of at least 1.5 million installs.
The apps, attributed to the same developer and discovered by cybersecurity firm Pradeo, exhibit similar malicious behaviors and operate without user interaction. Their main objective is to covertly extract and transmit sensitive user data to malicious servers based in China. The findings were reported to Google.
One of the spyware applications falsely claimed on its Google Play Store profile that it does not collect user data.
“The reports from our behavioral analysis engine show that both spyware collect very personal data from their targets, to send them to a large number of destinations which are mostly located in China and identified as malicious,” explained Roxane Suau, the Pradeo researcher who uncovered the spyware.
In addition to collecting personal information from users’ devices, such as contact lists and media files (picture, audio and video files), the applications transmit the stolen data to multiple malicious servers predominantly located in China.
Read more on Chinese spyware: CISA: Patch Bug Exploited by Chinese E-commerce App
The volume of data transmitted by the spyware distinguishes it from typical cases. Each application sends the stolen data over a hundred times.
To maximize their success, the hackers behind the spyware employ several tactics. The applications falsely boost their credibility by artificially inflating the number of installations, a technique achieved through install farms or mobile device emulators.
Additionally, the spyware utilizes advanced permissions to induce device restarts, enabling automatic launch and execution upon restart, as well as techniques to make uninstallation harder.
“An application can simply hide its icon from the general view. Both of these malware use this technique to make […] uninstallation harder. To delete them, users require going to the application list in the settings,” Suau explained.
The discovery of this spyware on the Google Play Store serves as a stark reminder for users and organizations to remain vigilant, take appropriate security measures and protect their sensitive information from falling into the wrong hands.