A large-scale malware campaign targeting Huawei’s AppGallery has been discovered. According to a blog post at Doctor Web, roughly 9.3 million Android users have been infected by this campaign.
In the blog post, Doctor Web malware researchers report the culprit malware in the Huawei AppGallery to be Android.Cynos.7.origin. Android.Cynos.7.origin is a detection name used by researchers for a Cynos software module. The malware is a Trojan that seeks to gain permission from potential victims to access phone call functions on an Android device. In the end, if permissions are granted, Android.Cynos.7.origin begins collecting sensitive data on the user.
Doctor Web researchers explain that the Android.Cynos.7.origin Trojan was found loaded in numerous Huawei AppGallery applications, especially games for children. The blog post explains the extent of this in the following excerpt:
At first glance, a mobile phone number leak may seem like an insignificant problem. Yet in reality, it can seriously harm users, especially given the fact that children are the games’ main target audience.
Even if the mobile phone number is registered to an adult, downloading a child’s game may highly likely indicate that the child is the one who actually using the mobile phone. It is very doubtful that parents would want the above data about the phone to be transferred not only to unknown foreign servers, but to anyone else in general.
We found the Android.Cynos.7.origin in 190 games on AppGallery, like simulators, platformers, arcades, strategies, and shooters. More than 9,300,000 users have downloaded these games combined (the number of installations is calculated based on the number of downloads listed on the AppGallery for each app). Some of these games target Russian-speaking users: they have Russian localization, titles, and descriptions. Others target Chinese or international audiences.”
Researchers at Doctor Web state that they immediately contacted Huawei with their AppGallery findings. By the time that their research blog post had been published, the offending applications had been deleted.
Featured image: Shutterstock