Spyware Gamed 1.5M Users of Google Play Store

Malware spoofed file management applications thanks to elevated permissions, enabling exfiltration of sensitive data with no user interaction, researchers find.

Two separate malicious apps loaded with spyware were found lurking in the Google Play store, loaded with zero-click spyware leading back to China.
Together, both applications tracked to the same developer, affected an estimated 1.5 million users, according to a new security alert from Pradeo. Google removed the apps within hours of being notified, the researchers add.
Most malicious apps rely on the victim to actually use it to successfully deliver malware, but these relied on permissions instead, according to Pradeo.
Often, users install applications they end up not even using, the security alert said. For most malware, that means the attack is unsuccessful. To overcome that obstacle, File Manager and File Recovery and Data Recovery can, through the advanced permissions they use, induce the restart of the device. This then permits the apps to launch and execute themselves automatically at restart.
Pradeo researcher Roxane Suau explained to Dark Reading that in addition to file manager applications, junk cleaner apps are also often spoofed for malicious purposes because of the elevated permissions required for them to perform their tasks.
Beyond sneaky permissions, the
spyware apps
misrepresented the amount of data collected, which raises flags about the security controls on applications available in the Google Play store, according to Melissa Bischoping, director at endpoint security research at Tanium.
Users are often encouraged to place trust in the data privacy and safety reports on an apps page in the store, and this kind of deception undermines trust in all apps, not just the ones analyzed in the Pradeo reporting, Bischoping says. There are over 3.5 million apps in the store, so it would be a herculean effort to perform deep-dive analysis of how each app complies with its stated privacy and security practices. That said, this type of glaring inaccuracy demonstrates a need for tighter vetting and control over what is published.
The damage these
malicious applications
can do to enterprises increases dramatically with
bring your own device (BYOD) policies
in the mix, Bischoping points out.
A bring your own device policy often results in unmanageability of mobile devices for large organizations, she explains. Because of this, you cannot control what apps an employee may install or how much access they grant those apps. Its important to weigh the risk/reward of allowing mobile access to corporate data from personal devices.
Enterprise-owned devices should have controls in place to restrict these applications from being downloaded, Mike Parkin, senior technical engineer with Vulcan Cyber, tells Dark Reading.
With enterprise-owned devices, they should be doing this already, Parkin says. If they own the device, they have every right to restrict what goes onto it.
For organizations with BYOD policies, imposing restrictions on downloading apps is more difficult, Parkin adds, since the user owns the device and may balk at restrictions. Though it would be appropriate for them to publish their expectations and, when necessary, block infected devices from accessing enterprise assets.
While malicious applications are hardly anything new, John Gallagher, vice president at Viakoo Labs, hopes incidents like these two
spyware apps discovered in the Google Play Store
will encourage enterprise security teams to take a look at their own policies.
The ability of an application to have its download numbers inflated, to have more permissions than it needs, and for it to violate personal information policies and laws, are all existing attack vectors, Gallagher says. These newly discovered threats may push more organizations to screen company-provided devices for such apps, or to monitor their network traffic to detect issues.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Spyware Gamed 1.5M Users of Google Play Store