A popular file manager for Android was spying on its users

Cybersecurity experts from the company Pradeo discovered V Google Play two malicious file management and data recovery applications that were installed on more than 1.5 million devices in total. Applications collected an excessive amount of data that is not necessary to provide the claimed functionality.

Both applications named File Recovery & Data Recovery (com.spot.music.filedate) and File Manager (com.file.box.master.gkd) belong to the same publisher. They could work stealthily in the background and send stolen data to remote servers in China. At the time of publication of this news, the applications are no longer available on Google Play, but it’s still worth talking about the mechanism of their action so as not to accidentally run into something similar in the future.

Malicious apps with 1.5 million total downloads

The applications were discovered using a behavioral analysis engine from Pradeo, a mobile security company. The description of the apps on Google Play states that they do not collect any user data from the users device. However, Pradeo experts found that this is far from the case. Applications were able to send the following data to attackers:

• list of contacts from the device memory;
• device-tethered emails and social networks;
• photos, audio and video accessed from applications;
• user location in real time
• mobile operator country code;
• the name of the mobile operator;
• operating system version;
• device brand and model.

While applications may have a legitimate reason to collect some of the above data to ensure good performance and compatibility, most of the data collected is not needed to manage or restore files, which is what application data is designed for. Even worse, this data is collected secretly and without the consent of the user.

Pradeo also adds that both apps hide their home screen icons to make them harder to find and uninstall. They can also abuse the permissions that the user approved during installation to restart the device and run in the background.

It is likely that the publisher used some manipulation of the Google store to artificially “inflate” the popularity of applications and make their products seem more reliable due to the large number of downloads. This theory is supported by the fact that the number of user reviews on the Play Store is too low compared to the claimed audience.

As you can see once again, downloading applications from the official store does not guarantee security. Android users are advised to always check user reviews before installing an app, pay attention to permissions being requested, and only trust software published by well-known developers.