Security researchers have discovered two malicious file manager apps on Google Play with a collective install count of over 1.5 million that collected excessive user data that goes way beyond what is needed to offer the promised functionality.

The apps, both from the same vendor, can be launched without any user interaction to steal sensitive data and send it to servers in China.

Although reported to Google, both apps are still available on Google Play at the time of publication.

File Recovery and Data Recovery, identified as “com.spot.music.filedate” on devices, has at least 1 million installs. The install count for the file manager reads at least 500,000 and it can be identified on devices as “com.file.box.master.gkd”.

Both apps were discovered by mobile security solutions company Pradeo’s behavioral analysis engine and their description states that they do not collect any user data from the device in the Data Security section of their Google Play entry.

However, Pradeo found that mobile apps exfiltrate the following data from the device:

• User contact list from device memory, connected email accounts and social networks.
• Images, audio and video managed or retrieved from applications.
• Real-time user location
• Mobile country code
• Network provider name
• SIM provider network code
• Operating system version number
• Device brand and model

Although apps may have a legitimate reason to collect some of the above to ensure good performance and compatibility, much of the collected data is not needed for file management or data recovery functions. . To make matters worse, this data is collected secretly and without obtaining user consent.

Pradeo adds that both apps hide their home screen icons to make them harder to find and remove. They can also abuse the permissions the user approves during installation to restart the device and run it in the background.

It’s likely the publisher used emulators or installed farms to boost popularity and make its products more reliable, Pradeo speculates.

This theory is supported by the fact that the number of user reviews on the Play Store is far too low compared to the reported user base.

It is always recommended to check user reviews before installing any app, pay attention to the permissions requested while installing the app, and only trust software released by reputable developers.

BleepingComputer has contacted Google for comment on this, but we have yet to receive a response.