Over 9 Million Android devices are infected by Huawei AppGallery Trojan: Report

A report coming from Doctor Web malware analysts reveals that there are over 9 million Android devices that have been infected by severe trojan coming from Huawei AppGallery that have installed games infected by this dangerous virus.

According to the report, Android.Cynos.7.origin is the name of the trojan that has been built into the apps and brought into consumer devices via Huawei AppGallery. The data reveals that around 9,300,000 Android device owners have already installed the apps and have been operating them for a long time.

What is this Trojan?

The Android.Cynos.7.origintrojen is one of the modifications of the Cynos program module. This module can be integrated into Android apps to monetize them. This platform has been known since at least 2014.

Some of its versions have quite aggressive functionality, such as sending premium SMS, intercepting incoming SMS, download and launching extra modules, and downloading and installing other apps. The main functionality of the version discovered by our malware analysts is collecting the information about users and their devices and displaying ads.

Which apps are infected?

There are around 190 games on Huawei AppGallery that have a built-in trojan in several categories including:

1. Simulators
2. Platforms
3. Arcades
4. Strategies
5. Shooters and others

There are a total of over 9.0 million users have downloaded these games in a combined count. Some of these games target Russian users, while some others target Chinese or international audiences.

These Games are:

1. The team must kill the warhead (translated from Russian)
2. Cat game room
3. Drive school simulator
4. Hurry up and hide (translated from Chinese

What are these apps stealing?

Apps with this trojan ask users to provide certain permission such as to retrieve phone call details. Once granted, the permission helps the trojan to collect and send the user’s data to a remote service including the following:

• User mobile phone number
• Device location based on GPS coordinates or the mobile network and Wi-Fi access point data (when the application has permission to access the location)
• Various mobile network parameters, such as the network code and mobile country code; also, GSM cell ID and international GSM location area code (when the application has permission to access the location)
• Various technical specs of the device
• Various parameters from the trojanized app’s metadata

How?

The number leak may not be a big deal for anyone but it can really harm users’ interest, especially when your phone is operated by a child, who is the main target of this trojan. The corresponding apps are designed only for children’s purposes.

What’s next?

Doctor Web has notified Huawei regarding these discoveries and by the publication of this report, the Chinese tech maker has removed all of the infected apps from AppGallery. So, if you have these apps, we recommend you remove them.