Apps with 1.5M installs on Google Play send your data to China

Security researchers discovered two malicious file management applications on Google Play with a collective installation count of over 1.5 million that collected excessive user data that goes well beyond what's needed to offer the promised functionality.

The apps, both from the same publisher, can launch without any interaction from the user to steal sensitive data and send it to servers in China.

Despite being reported to Google, the two apps continue to be available in Google Play at the time of publishing.

The two spyware apps discovered by Pradeo
Malicious apps still in Google Play (BleepingComputer)

File Recovery and Data Recovery, identified as "com.spot.music.filedate" on devices, has at least 1 million installs. The install count for File Manager reads at least 500,000 and it can be identified on devices as  "com.file.box.master.gkd."

The two apps were discovered by the behavioral analysis engine from mobile security solutions company Pradeo and their description states that they do not collect any user data from the device on the Data Safety section of their Google Play entry

Data collection declaration on Google Play
Data collection declaration on Google Play (BleepingComputer)

However, Pradeo found that the mobile apps exfiltrate the following data from the device:

  • Users' contact list from on-device memory, connected email accounts, and social networks.
  • Pictures, audio, and video that are managed or recovered from within the applications.
  • Real-time user location
  • Mobile country code
  • Network provider name
  • Network code of the SIM provider
  • Operating system version number
  • Device brand and model

While the apps might have a legitimate reason to collect some of the above to ensure good performance and compatibility, much of the collected data is not necessary for file management or data recovery functions. To make matters worse, this data is collected secretly and without gaining the user's consent.

Pradeo adds that the two apps hide their home screen icons to make it more difficult to find and remove them. They can also abuse the permissions the user approves during installation to restart the device and launch in the background.

It is likely that the publisher used emulators or install farms to bloat popularity and make their products appear more trustworthy, Pradeo speculates.

This theory is supported by the fact that the number of user reviews on the Play store is way too small compared to the reported userbase.

It is always recommended to check user reviews before installing an app, pay attention to the requested permissions during app installation, and only trust software published by reputable developers.

Update 7/6/23 5:51 PM ET: Google shared the following statement with BleepingComputer and said that they removed the apps from Google Play.

"These apps have been removed from Google Play. Google Play Protect protects users from apps known to contain this malware on Android devices with Google Play Services, even when those apps come from other sources outside of Play."

Related Articles:

New Medusa malware variants target Android users in seven countries

Over 90 malicious Android apps with 5.5M installs found on Google Play

Android 15, Google Play Protect get new anti-malware and anti-fraud features

Google Pixel 6 series phones bricked after factory reset

Rafel RAT targets outdated Android phones in ransomware attacks