1.5 million Android users affected by hidden spyware tied to China
An estimated 1.5 million users were affected by hidden spyware on two popular Android apps which sent private user data to China.
Only recently deleted by Google Play, File Manager had already been installed over 500,000 times and File Recovery and Data Recovery over one million times. Both apps were developed by Wang Tom and contained hidden malicious spyware, according to a report from cybersecurity firm Pradeo last week.
The apps, posing as file management tools, claimed on their profiles that they did not collect user data, though this was untrue. They launched without users’ permission and then collected private user data including location, photos, audio, video, network provider name, SIM provider network code, operating system version number, mobile country code and device brand and model. The spyware also pulled lists of users’ contacts from the device and from all connected accounts such as email and social media.
“The reports from our behavioral analysis engine show that both spyware collect very personal data from their targets, to send them to a large number of destinations which are mostly located in China and identified as malicious,” said Pradeo. No further specifics were released.
Each application transmitted the collected data over 100 times, which the firm notes helped the spyware go undetected.
But while users may be concerned about hacking by malicious Chinese actors, spyware installed by governments and Google itself goes undetected.
According to a class-action lawsuit filed last year, the Massachusetts Department of Health (DPH) worked with Google to tap into over one million Android smartphones for contact tracing during the COVID-19 pandemic.
The New Civil Liberties Alliance (NCLA), who filed the lawsuit, said that spyware was secretly auto-installed on the phones, though it was not visible alongside other apps. The MassNotify app could only be found by the user opening Settings and using the View All Apps feature. If a user found the app and deleted it, the DPH would simply have it re-installed.
While other states and governments also used smartphones for contact tracing, they required an opt-in from the smartphone owners. But after its initial opt-in version did not yield the results it had hoped for, the DPH changed the program to not only require an opt-out from the user, but also to forcibly re-install the app if deleted.