Cynos Android malware infects more than 9 million Huawei smartphones

Sicherheit (Pexels, allgemeine Nutzung)[German]The Chinese smartphone manufacturer Huawei has temporarily removed 190 Android apps from its app store. The reason: Russian security vendor Dr. Web had discovered that these apps were infected with the Cynos Android malware while analyzing apps in the Huawei app store.


Dr. Web reports here, that its malware analysts discovered dozens of games in the AppGallery catalog that have an Android.Cynos.7.origin Trojan embedded in them. This Trojan was designed to collect users' cell phone numbers. At least 9,300,000 Android device owners have installed these games with an integrated Trojan.

The Cynos malware

Android.Cynos.7.origin is one of the modifications of Cynos program module. This module can be integrated into Android apps in order to monetize them. This Cynos platform has been around since at least 2014. Some Cynos versions have quite aggressive features: They send premium SMS, intercept incoming SMS, download and launch additional modules, download and install other apps. The main functionality of the version detected by our malware analysts is collecting information about users and their devices and displaying advertisements.

Cynos permissions
Cynos permissions, Source: Dr. Web

The apps that contain the Android.Cynos.7.origin Trojan ask the user for permission to make and manage phone calls. This allows the Trojan to gain access to certain data. If the user gives consent, the Trojan collects the following information and sends it to a remote server:

  • user's cell phone number
  • Device location based on GPS coordinates or mobile network data and Wi-Fi access point (if the application has permission to access the location)
  • Various mobile network parameters, such as the network prefix and country code of the mobile network; also the GSM cell ID and GSM international prefix (if the application has permission to access the location)
  • Various technical data of the device
  • Various parameters from the metadata of the Trojanized application

Problem with the fished mobile numbers is that they mostly belong to smartphones used by children, as they use the game apps. The security researchers found Android.Cynos.7.origin in 190 games in Huawei's AppGallery store, including simulators, platformers, arcade games, strategies and shooters. More than 9,300,000 users have downloaded these games together (the number of installs is calculated based on the number of downloads listed in the AppGallery for each app).


Some of these games are aimed at Russian-speaking users: they have Russian localization, titles and descriptions. Others are aimed at Chinese or international audiences.  The Dr. Web article lists some games that contain this Trojan. (via)

Cookies helps to fund this blog: Cookie settings

This entry was posted in Android, Security and tagged , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *