October 3, 2023

Two spyware applications posing as file management tools have been discovered on the Google Play Store with a total of at least 1.5 million installs.

  • File Recovery and Data Recovery – com.spot.music.filedate – 1M+ Installs
  • File Manager – com.file.box.master.gkd – 500K+ Installs

The apps exhibit similar malicious behaviors and operate without user interaction, and with an objective of covertly extract and transmit sensitive user data to malicious servers based in China. The findings were reported to Google.

One of the spyware applications falsely claimed on its Google Play Store profile that it does not collect user data.


In addition to collecting personal information from users’ devices, such as contact lists and media files (picture, audio and video files), the applications transmit the stolen data to multiple malicious servers predominantly located in China.

The volume of data transmitted by the spyware distinguishes it from typical cases. Each application sends the stolen data over a hundred times.

Threat actors behind the spyware employ several tactics. The applications falsely boost their credibility by artificially inflating the number of installations, a technique achieved through install farms or mobile device emulators.

The spyware utilizes advanced permissions to induce device restarts, enabling automatic launch and execution upon restart, as well as techniques to make uninstallation harder.


The discovery of this spyware on the Google Play Store serves as a stark reminder for users and organizations to remain vigilant, take appropriate security measures, and protect their sensitive information from falling into the wrong hands.

This research was documented by researchers from Pradeo

Leave a Reply

%d bloggers like this: