Google Play introduced privacy-focused “nutrition labels” last year to help users learn what data apps collect even before they download them. However, it appears that bad actors and developers have found a way to trick the system in order to steal users’ data. According to cybersecurity analysts at mobile cybersecurity company Pradeo, two apps on Google Play were found to contain spyware that was sending data to malicious servers located in China. The company says that more than one million users are affected by spyware-containing apps. It states that the app’s download pages state that they do not collect data.
In a blog post, the cyber security firm said it alerted Google about the discovery. Two apps containing Chinese spyware are “File Recovery & Data Recovery” and “File Manager”. Both are published by the same developer named “Wang Tom”. As the name suggests, the app helps users manage data and, in some cases, “recover deleted files from your phone, tablet, or any Android device.” Users are advised to remove the apps if they are still using them.
As mentioned, the addition of Google Play rules for apps to somehow declare the data they collect. The post reads, “On the Google Play Store, the profiles of both the above apps declare that they do not collect any data from user’s devices, which we found to be false information. Furthermore, they declare that if the data is collected users cannot request deletion, which is against most data protection laws such as the GDPR.”
The research firm suggests that these were collecting data from the device and all connected accounts including users’ contact list, real-time user location, mobile country code, network provider name, SIM provider’s network code and device brand.
Android apps containing spyware have probably passed the Google Play security check because they provide legitimate services. The research firm suggests that users should check reviews before downloading apps. In many cases, apps are shown with high download numbers, but no reviews raise red flags. The company also notes that users “should read them carefully before accepting the permission.”
Notably, the same research firm last year discovered a “cartoonifier” app whose more than one million downloads was stealing users’ Facebook credentials. Researchers discovered a Trojan called FaceStealer within the Cartoonifier app. The trojan reportedly displayed a Facebook login screen that required users to log in before being taken to the app’s homepage. After entering the credentials, the app will steal the information and send it to a malicious server.
