A new trojan called Android.Cynos.7.origin, designed to collect Android users’ device data & phone numbers, was found in 190 games installed on over 9m Android devices.
Why would a game about a cat’s “cute diary” need permission to make phone calls or discover your location?
It does not: “Cat cute diary” is one of 190 trojanised games that Doctor Web malware analysts have found on App Gallery, the official app store for Huawei Android.
They are common. In a report published on Tues., Doctor Web estimated that more than 9,300,000 Android device owners have installed the dangerous games.
According to researchers, the main purpose of the malware-filled apps – which includes loads of kid-enticing entries, including games, simulators, platformers, arcades, strategies & shooters – is not to satisfy users’ cute-kitty & shoot-the-bad-guys lust.
Rather, they are equipped with a new Android trojan, tracked by the analysts as Android.Cynos.7.origin, the main purpose of which is to absorb users’ phone numbers & device data & to make money by milking the data to inflict ads, according to researchers.
Fun, Games & Data Exfiltration
Doctor Web provided a few examples of the trojan-containing games, some of which are targeting Russian-speaking users & which have Russian titles & descriptions, & some of which target Chinese or international audiences.
One of them – the “快点躲起来” game – which, according to Google Translator, means “Hurry up & hide” in English – has been downloaded over 2m times, according to the research.
Here’s the full list of the 190 apps the researchers are identifying as malicious.
What the Apps Do With Those Permissions
Doctor Web said that the Android.Cynos.7.origin trojan is one of the modifications of the Cynos malware platform – a module that can be integrated into Android apps so as to squeeze money out of devices. Malware analysts have known about Cynos since at least 2014, the analysts stated.
When the malicious apps are downloaded, they ask for permission to make & manage phone calls.
“That allows the trojan to gain access to certain data,” the analysts explained. Namely, after a user grants those permissions, the trojans collects & exfiltrates all of the following information to a remote server:
- User mobile phone number
- Device location based on GPS coordinates or the mobile network & Wi-Fi access point data (when the application has permission to access location)
- Various mobile network parameters, such as the network code & mobile country code; also, GSM cell ID & international GSM location area code (when the application has permission to access location)
- Various technical specs of the device
- Various parameters from the trojanised app’s metadata
- Some of its versions have quite aggressive functionality: they send premium SMS, intercept incoming SMS, download & launch extra modules, & download & install other apps. The main functionality of the version discovered by our malware analysts is collecting the information about users & their devices & displaying ads.
Some of the Cynos versions are even more aggressive that move into the realm of spyware or more, according to Doctor Web: “They send premium SMS, intercept incoming SMS, download & launch extra modules, & download & install other apps.”
However, the 190 apps its analysts found are mainly designed to collect the above-mentioned list of information about users and their devices & to display ads.
Do not dismiss these, Doctor Web analysts cautioned. These games are designed to be used by kids, which makes them plenty dangerous: “At 1st glance, a mobile phone number leak may seem like an insignificant problem. Yet in reality, it can seriously harm users, especially given the fact that children are the games’ main target audience.
“Even if the mobile phone number is registered to an adult, downloading a child’s game may highly likely indicate that the child is the who is actually using the mobile phone. It is very doubtful that parents would want the above data about the phone to be transferred not only to unknown foreign servers, but to anyone else in general.”
Huawei Pulled the Bad Apps
This is not the 1st time that Huawei’s App Gallery has been infused with malware. In April, Doctor Web reported that it had found the app store infested with apps that contained the Joker trojan: apps that were downloaded by unwitting users to more than 538,000 devices.
Doctor Web notified Huawei about the Cynos-infested malicious apps in its Android gallery. Huawei subsequently removed them all. The company hadn’t responded to requests for comment, but it did send this statement to Bleeping Computer:
“App Gallery’s built-in security system swiftly identified the potential risk within these apps. We are now actively working with affected developers to troubleshoot their apps. Once we can confirm that the apps are all clear, they will be re-listed on App Gallery so consumers can download their favourite apps again & continue enjoying them.
“Protecting network security & user privacy is Huawei’s priority. We welcome all 3rd-party oversight & feedback to ensure we deliver on this commitment. We will continue to collaborate closely with our partners, & at the same time, employ the most advanced & innovative technologies to safeguard our users’ privacy.”