article featured image


Huawei’s AppGallery has been targeted in a new massive malware campaign. Almost 9,300,000 Android trojans installs were performed  posing as 190 various applications. Dr.Web AV’s researchers made this discovery and attributed the ‘Android.Cynos.7.origin’ label to this recent data-stealing malware. Apparently, it is a different Cynos malware variant. The goal of this new malware is to perform sensitive user info gathering.

Doctor Web malware analysts discovered dozens of games on the AppGallery catalog that have an Android.Cynos.7.origin trojan built into them. This trojan is designed to collect users’ mobile phone numbers. At least 9.300.000 Android device owners have installed these dangerous games.


The New Data Stealing Malware: How It Works

According to Dr. Web’s experts’ report, the hackers behind this managed to hide the data-stealing malware inside Android applications. These apps were posing as games of shooting, platformers, arcades, simulators, and RTS strategy intended for international users or Chinese and Russian-speaking ones.

The newly discovered data-stealing malware is thought to be another version of the trojan dubbed Cynos and can be the author of a series of malicious activities. These could include SMS text spying and various payloads downloading and deployment.

The researchers also underline that this new malware version focuses on user data collection with the goal of ads displaying. In the installation stage, it will require permission for different not-game-related activities. Two examples in this sense could be its request to be able to make phone calls or wanting to have access to the user’s location. And this is the moment when the malware can start its malicious process. If the users allow those required permissions what could happen next is that it can perform data exfiltration to a remote server.

According to the same report, these could be the data it can exfiltrate:

  • The mobile phone number of the users;
  • Mobile network parameters that may include codes related to the network and the mobile country. Hackers could also gain access to GSM cell IDs and also to the international GSM location area code;
  • They can also obtain the device location based on GPS coordinates or through methods like Wi-Fi access point information and the mobile network;
  • Device technical information;
  • Different parameters relating to the metadata of the trojanized application.

These Cynos trojans are also dangerous as they can actually perform extra application downloading and installation, engage in premium service SMS sending or they can even intercept incoming SMS. If users subscribe to premium services, this can result in unanticipated charges for them.

The Android.Cynos.7.origin is one of the modifications of the Cynos program module. This module can be integrated into Android apps to monetize them. This platform has been known since at least 2014. (…) Some of its versions have quite aggressive functionality: they send premium SMS, intercept incoming SMS, download and launch extra modules, and download and install other apps.


What Applications Have this Data-Stealing Malware Within?

According to BleepingComputer, there are many applications out there, but some of them have more installations like 快点躲起来 (Hurry up and hide) with a number of 2, 000, 000 installations, Cat adventures with a number of 427,000 installations and Drive school simulator for which 142,000 installations were noticed. A thorough list containing all the 190 applications was specified here.

However, the Dr.Web AV researchers announced Huawei about this discovery and helped the company to delete from their app store the malicious discovered applications. Users who already installed the compromised applications on their Android devices would need to remove them from their phones themselves.

Did you enjoy this article? Follow us on LinkedInTwitterFacebookYoutube, or Instagram to keep up to date with everything we post!

Author Profile

Andra Andrioaie

Security Enthusiast

linkedin icon

Hi! My name is Andra and I am a passionate writer interested in a variety of topics. I am curious about the cybersecurity world and what I want to achieve through what I write is to keep you curious too!

Leave a Reply

Your email address will not be published. Required fields are marked *