Chinese Affiliated Spyware Uncovered on Google Play Store

The malicious apps

• These two applications, developed by the same entity, masquerade as file management tools and exhibit comparable malicious behaviors.
• Notably, they are designed to initiate autonomously, without any user interaction, and transmit valuable user data to multiple servers located in China.

What’s on the line?

• The spyware applications illicitly acquire the data, including OS version number, device brand and model, network provider, network code of the SIM provider, country code, as well as real-time user location.
• They also pilfer sensitive media content, such as pictures, videos, and audio content, contact lists, and more.

How does the lure work?

• The attackers behind these malicious apps have used various tactics to appear legitimate, such as showing a large user base without any user reviews. It is suspected that they employed mobile device emulators or installed farms to artificially inflate the number of users, boosting the apps' ranking on the store.
• Another strategy employed is minimizing user interaction. These applications possess the ability to automatically launch upon system startup, allowing them to carry out their malicious activities even when the app itself is not actively being used. 
• Additionally, these apps remain concealed on the home screen, ensuring their icons are hidden to prevent easy uninstallation.

More spyware

• In June, three Android apps on Google Play were used by a state-sponsored hacking group to collect intelligence from targeted devices, highlighting the ongoing threat of malicious apps on trusted platforms. The operation was attributed to the DoNot APT group. 
• The same month, researchers discovered the SpinOk malware in over 400 million Android app downloads, posing a significant threat to user data security. 

The bottom line