Cynos Android Malware

A massive attack campaign deploying an Android infostealer Trojan threat has managed to infect over 9.3 million Android devices. After analysis by a Russian security firm, the Trojan has been classified as a modified variant of the Cynos Android Malware. The attackers managed to breach Huawei's AppGallery and spread their threat via more than 190 weaponized applications.

Infected Game Applications

The applications carrying the Trojan's library were mostly Android games from a wide range of different genres - simulators, arcades, platformers, RTS and shooting games. Another evidence of the sheer scale of the attack is the fact that the threat actor was targeting Chinese, English and Russian-speaking users.

There weren't any major red flags that could tip users that something nefarious is going on. The weaponized applications did request permissions not usually required by mobile games, such as making phone calls or having access to the device's geolocation. The applications were fully functional and matched their advertised features so users may not have had a reason to remove them manually. The most downloaded of the Trojanized apps is 快点躲起来 (Hurry up and hide), which reached around 2 million downloads. Next was Cat adventure with over 420, 000 downloads and Drive school simulator with close to 150, 000 downloads.

Threatening Capabilities

Once fully deployed on the victim's device, the Cynos Android malware will begin harvesting sensitive information, while also generating and displaying sponsored advertisements. The collected information includes phone numbers, WiFi network details, device hardware and software details, geolocation data and more.

The Trojan also could have been used to fetch, download, and execute additional threatening modules or applications on the breached devices. The threat actor also could have used the Cynos Android malware to send premium service SMS or intercept sensitive data from incoming SMS messages.

Huawei has stated that AppGallery's built-in system has identified the risky applications. The company is now working actively with the affected developers to clear and relist their applications on its store. Users who have already installed one of the Trojanized applications will need to clean their phone by themselves, preferably by using a professional security solution.