Two file manager apps in Google Play Store transfer data to China

[German]Unpleasant story that once again shows that apps should be viewed with great caution and used with restraint. Security researchers have discovered two apps in the Google Play Store that contain spyware that sends data directly to China. Apps like file managers are quickly installed on an Android device.


Security vendor came across two suspicious examples while analyzing Android apps found on the Google Play Store, which it then analyzed in more detail. These are the apps "File Recovery & Data Recovery" and "File Manager" highlighted below, as the security researchers write in the post Two spyware tied with China found hiding on the Google Play Store.

Android Spyware-Apps

This was noticed during an automatic analysis by a scan engine that reported the two spyware programs. Here are the details of the apps that the security researchers published:

  • File Recovery and Data Recovery – – 1M+ Installs
  • File Manager – – 500K+ Installs

Both apps are from the same developer and are used by up to 1.5 million users. The apps pose as file management applications and exhibit similar malicious behaviors. They are programmed to launch without user intervention and forward sensitive user data unnoticed to various servers (classified as malicious) in China. The security researchers informed Google before publishing their finding, and I have since not found the apps in the Google Play Store.

In the description of the apps in the Google Play Store, the security researchers state that both apps do not collect data from users' devices. It also says that if data was collected, users would not be able to request its deletion, which is against most data protection laws such as the GDPR. However, these profile statements from apps are smoke and mirrors in my eyes, as Google points out that users would have to inform themselves if data is being collected.


According to the security researchers, the behavioral analysis engine revealed that both spyware programs collect very personal data from their targets in order to send it to a large number of targets, mostly located in China and identified as malicious. The stolen data includes:

  • Users' contact lists from the device itself and from all connected accounts such as email, social networks, etc.
  • Media compiled in the application: images, audio and video content
  • User location in real time
  • Country code of the cell phone
  • Name of the network operator
  • Network code of the SIM provider
  • Operating system version number, which, as with the Pegasus spyware, can lead to a vulnerable system exploit
  • Device make and model

In detail, each application performs more than a hundred transmissions of the collected data, write the security researchers. This is an order of magnitude that has rarely been observed before. In the article, the security researchers give some tips on how to protect against such a thing. The number of installations should not be a criterion, but it is also important to take a look at the ratings of other users.

The apps had a large download count, but no ratings. The security researchers suspect that the developer used an installation farm or emulators for mobile devices to fake these numbers and place the apps at the top of the relevant category in the store to also improve their apparent legitimacy.

The general rule is to install as few apps as possible, to check the ratings of other users as well as the access rights requested by the app, and to prefer not to use an app. Companies should sensitize their employees to these dangers. In addition, mobile threat detection and response should be automated there to provide a safe environment for users. Mobile device management systems (MDMs) are also usually used there to enforce security policies in companies. (via)

Cookies helps to fund this blog: Cookie settings

This entry was posted in Android, Security, Software and tagged , , . Bookmark the permalink.

One Response to Two file manager apps in Google Play Store transfer data to China

  1. Glenn Pearl says:

    Highly recommend the Exodus Privacy site to research trackers and permissions for Android apps before installing.

Leave a Reply

Your email address will not be published. Required fields are marked *