Android Info Stealing trojan has infected more than 9 million Android Devices

Android Info Stealing trojan has infected more than 9 million Android Devices

A Malware Trojan name Android.Cynos.7. origin has been found in 190 games on Huawei’s AppGallery. It’s reported that approximately 9,300,000 installs were made on this malicious app. According to Researchers from Dr.Web AV The Android.Cynos.7.origin is one of the modification of the Cynos malware which is design to steal information.

“The Android.Cynos.7.origin is one of the modifications of the Cynos program module. This module can be integrated into Android apps to monetize them. This platform has been known since at least 2014. Some of its versions have quite aggressive functionality: they send premium SMS, intercept incoming SMS, download and launch extra modules, and download and install other apps. The main functionality of the version discovered by our malware analysts is collecting the information about users and their devices and displaying ads.” Stated in the Doctor web malware analysis report.

Huawei has now removed these malicious apps from their store with the help of Dr. Web AV but users who installed manually have to remove the apps from their devices.

These malicious apps were of simulators, platformers, arcades, strategies, and shooters. It can be said that the threat actors were targeting Russian-speaking users as they have Russian localization, titles, and descriptions. Some others malicious apps were targeting Chinese or international audiences.

“The apps that contain the Android.Cynos.7.origin ask users for permission to make and manage phone calls. That allows the trojan to gain access to certain data.

When the user grants permission, the trojan collects and sends the following information to a remote server:

  • User mobile phone number
  • Device location based on GPS coordinates or the mobile network and Wi-Fi access point data (when the application has permission to access location)
  • Various mobile network parameters, such as the network code and mobile country code; also, GSM cell ID and international GSM location area code (when the application has permission to access location)
  • Various technical specs of the device
  • Various parameters from the trojanized app’s metadata “

Find the full list of the 190 malicious apps.

Reference

© 2021 BY CYBER LABS SERVICES (PVT) LTD

[email protected]

Sri Lanka Office:
No: 57/3 Flower Road, Colombo 07, Sri Lanka.

Melbourne Office:
No 08, Cubbie way Clyde, North Victoria 3978