Security researchers recently uncovered two malicious file management applications on Google Play, which have amassed a combined installation count of over 1.5 million.
These apps were found to collect an excessive amount of user data, surpassing the requirements for their advertised functionalities, according to a report by BleepingComputer.
The report reveals that both apps, originating from the same publisher, have the ability to launch without user interaction and illicitly extract sensitive data, sending it to servers located in China.
App Details and User Data Exfiltration
The first app, referred to as “File Recovery” and labeled as “com.spot.music.filedate” on devices, boasts a minimum of 1 million installs. The second app, “File Manager,” identified as “com.file.box.master.gkd,” has a minimum of 500,000 installations. These apps were detected by Pradeo, a mobile security solutions company.
Contrary to their claims of not collecting user data, the apps retrieve the following information from the device:
- Contact list from on-device memory, connected email accounts, and social networks.
- Pictures, audio, and video files managed or recovered through the apps.
- Real-time user location.
- Mobile country code, network provider name, and SIM provider network code.
- Operating system version, device brand, and model.
While some data collection may be justified for performance and compatibility reasons, the majority of the extracted data goes beyond what is necessary for file management and data recovery. The apps clandestinely gather this data without obtaining the user’s consent.
Furthermore, Pradeo discovered that the apps employ tactics to evade detection and removal:
- Hiding their home screen icons to impede detection.
- Exploiting approved permissions during installation to restart the device and run in the background.
Pradeo speculates that the app publisher employed emulators or install farms to artificially inflate popularity and create a facade of trustworthiness. This hypothesis is supported by the significantly low number of user reviews compared to the reported user base.
Google’s Response and App Removal
Upon being informed of the issue, Google stated that they have removed the malicious apps from Google Play. Users relying on Google Play Services and Google Play Protect are protected from these malware-infected apps on Android devices, even if the apps are sourced from external channels beyond Google Play.