Chinese Hackers Exploiting Google Play Store For Spreading Their Malware As File Manager

Cybersecurity experts from Pradeo revealed two malicious file management and data recovery apps on Google Play that were installed on more than 1.5 million devices in total. Applications collected an excessive amount of data that is not necessary to perform the advertised functionality.

Both software named File Recovery & Data Recovery (com.spot.music.filedate) and File Manager (com.file.box.master.gkd) belong to the same publisher. They might function secretly in the background and transmit stolen data to remote computers in China. At the time of publication of the above article, the applications are no longer available on Google Play, but it’s still important discussing about the mechanism of their activity so as not to accidently come into something similar in the future.

The applications were found using a behavioral analysis engine from Pradeo, a mobile security company. The description of the apps on Google Play indicates that they never collect any user data from the customers device. However, Pradeo experts determined that this is far from the fact. Applications were possible to send the following data to attackers:

• list of contacts from the device memory;
• device-tethered emails and social networks;
• photos, audio and video accessed from applications;
• user location in real time
• mobile operator country code;
• the name of the mobile operator;
• operating system version;
• device brand and model.

While apps may have a legal need to gather some of the above data to maintain optimal performance and compatibility, most of the data collected is not needed to manage or recover files, which is what application data is designed for. Even worse, this data is acquired inconspicuously and without any consent of the user.

Pradeo further says that both apps hide their home screen icons to make them tougher to detect and delete. They can also abuse the rights that the user accepted during installation to restart the device and run in the background.

It is possible that the publisher set up some form of manipulation in the Google store to artificially "inflate" the popularity of applications and make their products seem more trustworthy due to the big number of downloads. The idea of this is confirmed by the fact that the quantity of user reviews on the Play Store is excessively low relative to the claimed audience.

As you can see once again, downloading software from the official store does not guarantee security. Android users are advised to always check user reviews before installing an app, pay attention to permissions that are requested, and only trust software provided by widely recognized developers.