Security researchers have discovered two malicious file management applications on Google Play, collectively installed on over 1.5 million devices, that are collecting user data beyond what is necessary for their advertised functionality.
These apps, originating from the same publisher, can launch without user interaction and surreptitiously send the stolen data to servers in China. Despite being reported, the apps are still available for download on Google Play.
The apps, named File Recovery and Data Recovery, were identified by Pradeo, a mobile security solutions company. Although their Google Play descriptions claim not to collect user data, Pradeo’s analysis revealed that these apps exfiltrate sensitive information, including contact lists, pictures, audio, video, real-time user location, network details, and device information. The collected data far exceeds what is required for file management or data recovery functions and is obtained without the user’s consent.
In addition to their data collection activities, the apps employ tactics to evade detection and removal. They hide their home screen icons and exploit permissions granted during installation to run in the background and restart the device.
Pradeo speculates that the publisher may have used emulators or install farms to artificially boost the popularity and credibility of these apps, as evidenced by the disproportionately low number of user reviews compared to the reported user base.
To protect themselves, users are advised to thoroughly review user feedback, scrutinize requested permissions during app installation, and trust only reputable developers.
