Security researchers at Pradeo have detected two spyware apps posing as file management applications hiding on the Google Play Store and affecting up to 1.5 million Android users.

According to the mobile security company, the two malicious apps are programmed to launch without users’ input and silently collect sensitive user data and send it to dubious servers based in China.

The two spyware apps are namely  File Recovery and Data Recovery,

(com.spot.music.filedate), with over 1 million installs, and File Manager (com.file.box.master.gkd), with over 500,000 installs.

Both applications are from the same developer and feature similar malicious behaviors.

Android Apps malware

How Do These Apps Work?

The two spyware apps were discovered by Pradeo’s behavioral analysis engine on the Google Play Store, where these apps claim that they do not collect from the users’ devices. It also states that if any data is collected, users could not request the data to be deleted.

However, contrary to the claims on the Google Play Store, these two mobile apps were found to be collecting the following sensitive user data and sending them to multiple servers mostly located in China:

  • Users’ contact lists from the device itself, connected email accounts, and social networks
  • Pictures, audio, and video contents compiled in the application
  • Real time user location
  • Mobile country code
  • Network provider name
  • Network code of the SIM provider
  • Operating system version number
  • Device brand and model

What is particularly disturbing is that each application carried out more than a hundred transmissions of the collected data, which is a significant amount for malicious activities.

To increase their success, the developers of these spyware apps used sneaky techniques to appear more trustworthy and performant, which made it difficult to find and uninstall them.

“Both spyware show a big user population, yet have no reviews. We believe the hacker used an install farm or mobile device emulators to fake those numbers, hence making its applications better ranked in stores’ category lists and increase their apparent legitimacy,” wrote Roxane Suau, the Pradeo researcher who uncovered the spyware in a blog post.

Moreover, both apps were also found to have advanced permissions that allow them to restart devices and then launch and execute themselves automatically, without user interaction, and to hide their icons on the home screen, making it difficult for unsuspecting users to uninstall them.

Pradeo alerted Google of the discovery before publishing the blog post. At the time of writing, both spyware apps have been removed from the Google Play Store.

“These apps have been removed from Google Play. Google Play Protect protects users from apps known to contain this malware on Android devices with Google Play Services, even when those apps come from other sources outside of Play,” Google said in a statement to BleepingComputer.

If you have any of the above-mentioned apps installed on your device, it is recommended that you locate and delete them from your device immediately. Additionally, you can follow the below-mentioned tips to keep yourself safe:

  • Ensure you are running the latest version of Android on your device.
  • Do not download apps that do not have any reviews in spite of thousands of users.
  • Read reviews, if there are any, to understand the legitimate nature of the app.
  • Always carefully read permissions before accepting them.
  • Uninstall apps from your device that are no longer required.
  • Be wary of apps that ask for more permissions than it needs, as they might be malicious.
  • Only download software published by reputable developers.