Data from 1.5M Google Play Installs Shipped to Chinese Servers
Data from 1.5M Google Play Installs Shipped to Chinese Servers

Rami Al-zayat (unsplash)

Security researchers have unveiled the malevolent nature of two file management applications present on Google Play. These applications, which have seen over 1.5 million installations collectively, are known for their extensive data collection practices that exceed what’s required for their designated functionalities.

The two applications, originating from the same publisher, are capable of launching independently, pilfering sensitive user data, and subsequently transmitting it to servers located in China.

Despite the reported violations, Google continues to host the applications on Google Play as of the time the news was released.

The apps, known as File Recovery and Data Recovery, and identified as “” on devices, has crossed the milestone of one million installations. Another app from the same publisher, named File Manager, identified on devices as “,” has garnered at least 500,000 installations.

Pradeo, a mobile security solutions company, discovered these two applications using its behavioral analysis engine. Despite the apps’ descriptions claiming a lack of data collection practices on the Data Safety section of their Google Play entries, Pradeo’s investigation revealed otherwise.

According to Pradeo’s findings, the mobile applications were extracting the following data from the device:

  • Contact lists from on-device memory, linked email accounts, and social networks.
  • Photos, audio, and video files managed or retrieved by the applications.
  • Real-time location of the user.
  • Mobile country code.
  • Name of the network provider.
  • Network code of the SIM provider.
  • Operating system version number.
  • Brand and model of the device.

While some of the collected data could be justified for performance optimization and compatibility purposes, much of it is deemed unnecessary for the applications’ file management or data recovery functionalities. Furthermore, the data collection process happens without the user’s consent and in complete secrecy.

Pradeo also revealed that the apps have been designed to hide their home screen icons, making them harder to locate and remove. The apps could also exploit permissions approved by the user during installation to initiate a device restart and silently launch in the background.

The company speculates that the publisher may have resorted to using emulators or installation farms to artificially boost the apps’ popularity and appear more credible.

This theory gains traction considering the discrepancy between the number of user reviews on the Play store and the reported user base.

Users are strongly advised to peruse reviews prior to app installation, pay careful attention to permissions requested during installation, and trust only those applications published by reliable developers.