Huawei’s AppGallery targeted by malware campaign

A large-scale malware campaign targeting Huawei's AppGallery has been discovered. According to a blog post at Doctor Web, roughly 9.3 million Android users have been infected by this campaign.

In the blog post, Doctor Web malware researchers report the culprit malware in the Huawei AppGallery to be Android.Cynos.7.origin. Android.Cynos.7.origin is a detection name used by researchers for a Cynos software module. The malware is a Trojan that seeks to gain permission from potential victims to access phone call functions on an Android device. In the end, if permissions are granted, Android.Cynos.7.origin begins collecting sensitive data on the user.

Doctor Web researchers explain that the Android.Cynos.7.origin Trojan was found loaded in numerous Huawei AppGallery applications, especially games for children. The blog post explains the extent of this in the following excerpt:

At first glance, a mobile phone number leak may seem like an insignificant problem. Yet in reality, it can seriously harm users, especially given the fact that children are the games’ main target audience.


Even if the mobile phone number is registered to an adult, downloading a child’s game may highly likely indicate that the child is the one who actually using the mobile phone. It is very doubtful that parents would want the above data about the phone to be transferred not only to unknown foreign servers, but to anyone else in general.


We found the Android.Cynos.7.origin in 190 games on AppGallery, like simulators, platformers, arcades, strategies, and shooters. More than 9,300,000 users have downloaded these games combined (the number of installations is calculated based on the number of downloads listed on the AppGallery for each app). Some of these games target Russian-speaking users: they have Russian localization, titles, and descriptions. Others target Chinese or international audiences."

Researchers at Doctor Web state that they immediately contacted Huawei with their AppGallery findings. By the time that their research blog post had been published, the offending applications had been deleted.

Featured image: Shutterstock

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist. Kortepeter specializes in areas such as cyber defense, privacy rights, cyber warfare, and governmental InfoSec policy.

Published by
Derek Kortepeter

Recent Posts

Exchange 2010 - Removing the Last Server

Introducing Exchange Server 2019 can’t happen until Exchange 2010 is out of the environment completely.…

21 hours ago

Exchange 2016/2019 - Patch Active Directory

Active Directory and Exchange work hand in hand. That said, Active Directory has been under…

22 hours ago

Getting Started with PowerShell for Microsoft Teams

If you need to manage Teams in bulk, using PowerShell will likely be a better…

2 days ago

Creating a New Team using PowerShell

PowerShell is a better overall tool for the bulk management of Microsoft Teams. Read more…

2 days ago

Setting the style in PowerShell 7.2

PowerShell’s newfound support for ANSI escape sequences allow you to color PowerShell’s output in a…

3 days ago

Everything you need to know about Desktop as a Service

Desktop as a Service (DaaS) is one of cloud services that allows users to access…

3 days ago