More than 9 million smartphones infected with Cynos malware

Chinese smartphone vendor Huawei has temporarily removed 190 Android games from its official AppGallery app store after it received a report from Russian security firm Dr.Web that the apps contained an overly aggressive monetization library that was collecting extensive details from users' devices.

Huawei said it is now working with the app developers to investigate if the data collection has been taking place behind their backs and find replacement monetization libraries.

More than 9.3 million users have installed one of these 190 Android games, according to download stats listed on the AppGallery store.

"Some of these games target Russian-speaking users: they have Russian localization, titles, and descriptions. Others target Chinese or international audiences," Dr.Web said in a report this week.

The company said it has been tracking this threat under the Cynos malware definition since March this year.

According to its investigation, the malicious Cynos library had been observed collected extensive information from devices where its parent apps were installed, such as:

  • Phone numbers
  • Geo-location data
  • WiFi network details
  • Mobile network parameters and identifiers
  • Phone hardware and software specs

"At first glance, a mobile phone number leak may seem like an insignificant problem. Yet, in reality, it can seriously harm users, especially given the fact that children are the games' main target audience," Dr.Web researchers explained.

While the games were removed from the official app store, they are still installed on users' devices, and users will need to manually uninstall them.

A list of all the games that Dr.Web classified as infected with a version of the Cynos malware is available here.

While most security experts focus on Android malware strains that contain spyware-like behavior, the reality is that most Android threats are focused on extensive personal data collection and ad fraud. This might not defraud users, but it defrauds advertisers and also indirectly fuels the data trading underground, where user details are often compiled and sold without users' permission.

Catalin Cimpanu

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.

No previous article
No new articles