Android apps with over 10 lakh downloads found with spyware sending data to China

By Abhik SenguptaGoogle Play started rolling out privacy-focused “nutrition labels” last year to help users know what data apps collect even before downloading. However, it appears that bad actors and developers have found a way to dodge the system to steal users’ data. According to cybersecurity analysts at mobile cybersecurity company, Pradeo, two apps on Google Play were found with spyware sending data to malicious servers based in China. The firm notes that over 10 lakh users are affected by spyware-laden apps. It added that the app’s download pages stated they didn’t collect data.

In a blog post, the cybersecurity firm states that it has alerted Google of the discovery. The two apps with Chinese spyware are “File Recovery and data recovery” and “File Manager.” Both are published by the same developer, named “Wang Tom.” As the names suggest, the app helps users to manage data and, in some cases, “retrieve deleted files from your phone tablets, or any Android devices.” Users are advised to delete the apps if they are still using them.

As mentioned, the apps somehow skipped adding Google Play’s rule for apps to declare the data they collect. The post reads, “On the Google Play Store, both the above-mentioned applications’ profiles announce that they do not collect any data from user’s devices, which we found to be false information. Furthermore, they announce that if data was collected, users could not request it to be deleted, which is against most data protection laws like the GDPR.”

The research firm suggests that these were collecting data, including users’ contact lists from the device itself and from all connected accounts, real-time user location, mobile country code, network provider name, network code of the SIM provider, and device brand and model.

The spyware-laden Android apps likely passed the Google Play Security check as they offer seemingly legitimate services. The research firm suggests that users must see reviews before downloading apps. In many cases, apps are shown with high download counts, but no reviews raise red flags. The firm also notes that users must “carefully read permissions before accepting them.”

Notably, the same research firm discovered last year a “cartoonifier” app with over one lakh downloads stealing users’ Facebook credentials. Researchers discovered a trojan called FaceStealer within the cartoonifier app. The trojan reportedly displayed a Facebook login screen that required users to log in before getting to the homepage of the app. After entering the credentials, the app would steal and send the information to a malicious server.