Apps with 1.5 mn installs found sending data to China


The stolen data includes users’ contact lists from the device itself and from all connected accounts such as email, social networks, media compiled in all applications…reports Asian Lite News

Security researchers have found two malicious file management applications on Google Play Store with a collective download count of over 1.5 million that sends sensitive users’ data towards various malicious servers based in China.

“Our engine detected two spyware hiding on the Google Play Store and affecting up to 1.5 million users. Both applications are from the same developer, pose as file management applications and feature similar malicious behaviours,” said cyber security company Pradeo.

“They are programmed to launch without users’ interaction and to silently exfiltrate sensitive users’ data towards various malicious servers based in China,” it added.

Both apps stated they collect no data on the Google Play website; however, the security researchers said that “both spyware collected very personal data from their targets, to send them to a large number of destinations which are mostly located in China and identified as malicious”.

The stolen data includes users’ contact lists from the device itself and from all connected accounts such as email, social networks, media compiled in the application: Pictures, audio and video contents, real-time user location, mobile country code, network provider name, and more.

The first app, “File Recovery & Data Recovery,” had over a million installs, while File Manager had over 5,00,000. Both apps were uploaded by the same publisher, wang tom.

According to the researchers, the developers use a number of “sneaky behaviours” to boost the programme’s popularity, such as generating the appearance that the software is authentic and requiring minimal user involvement to participate in criminal conduct.

The research, conducted by Haoyu Liu (University of Edinburgh), Douglas Leith (Trinity College Dublin), and Paul Patras (University of Edinburgh), suggests that private information leakage poses a serious tracking risk to mobile phone customers in China, even when they travel abroad in countries with stronger privacy laws.

In a paper titled “Android OS Privacy Under the Loupe – A Tale from the East,” the trio of university boffins analyzed the Android system apps installed on the mobile handsets of three popular smartphone vendors in China: OnePlus, Xiaomi and Oppo Realme.

The researchers looked specifically at the information transmitted by the operating system and system apps, in order to exclude user-installed software. They assume users have opted out of analytics and personalization, do not use any cloud storage or optional third-party services, and have not created an account on any platform run by the developer of the Android distribution. A sensible policy, but it doesn’t seem to help much.

The pre-installed set of apps consists of Android AOSP packages, vendor code and third-party software. There are more than 30 third-party packages in each of the Android handsets with Chinese firmware, the paper says.

These include Chinese input apps like Baidu Input, IflyTek Input and Sogou Input on the Xiaomi Redmi Note 11. On the OnePlus 9R and Realme Q3 Pro, there’s Baidu Map as a foreground navigation app and the AMap package, which runs continuously in the background. And there are also various news, video streaming, and online shopping apps bundled into the Chinese firmware.

Within this limited scope, the researchers found that Android handsets from the three named vendors “send a worrying amount of Personally Identifiable Information (PII) not only to the device vendor but also to service providers like Baidu and to Chinese mobile network operators.”

The tested phones did so even when these network operators were not providing service – no SIM card was present or the SIM card was associated with a different network operator.

“The data we observe being transmitted includes persistent device identifiers (IMEI, MAC address, etc.), location identifiers (GPS coordinates, mobile network cell ID, etc.), user profiles (phone number, app usage patterns, app telemetry), and social connections (call/SMS history/time, contact phone numbers, etc.),” the researchers state in their paper.

“Combined, this information poses serious risks of user deanonymization and extensive tracking, particularly since in China every phone number is registered under a citizen ID.”

The data collection from these devices doesn’t change when the devices exit China, the researchers say, even though jurisdictions beyond the Middle Kingdom enforce more robust data protection regimes. And the boffins argue that this means the cited phone vendors and some third-parties can track Chinese travelers and students abroad and learn something about their foreign contacts.

Another of the researchers’ findings is that there are three to four times more pre-installed third-party apps on Chinese Android distributions than there are on basic Android from other nations. And these apps get eight to 10 times as many permissions for third-party apps compared to Android distributions from outside China.

ALSO READ-Spy Balloon Fuels Calls to Revoke 1979 Deal With China

[mc4wp_form id=""]