The new malware is spreading through Huawei's AppGallery app store. Currently the malware is known to have infected more than nine million Android devices.
Based on a report from antivirus developer Dr. Web, the malware is known as 'Android.Cynos.7.origin' and is a modified version of the Cynos malware. This malware is designed to collect sensitive data from infected phones.
The creator of this malware hides his weapons in 190 games distributed through the AppGallery. The games that carry this malware have various genres such as simulator, platformer, arcade, strategy, shooter, and many more.
Dr. The web says these games have been installed more than 9,300,000 times. Some of these games target Russian speaking users because they have Russian titles and descriptions. Other games target Chinese users or English-speaking users in other countries.
The list of 190 games infected with the Cynos malware is too long to write here. But there are some games that catch the eye because they have been downloaded hundreds of thousands to millions of times:
(Hurry up and hide) - 2,000,000
Cat adventures - 427,000
Drive school simulator - 142,000
For a complete list of 190 games infected with the Cynos malware, click the Github link below.
This newly discovered variant of the Cynos trojan can perform some malicious activity, including spying on SMS and downloading and installing other payloads. There is also another version that is more aggressive because it can send premium SMS, intercept incoming SMS, download extra modules, and download other applications.
"The main function of the version found by our malware analysts is to collect information about the user and his device and display advertisements," wrote Dr. Web in its report, as quoted from Bleeping Computer, Wednesday (11/24/2021).
The aggressive behavior of this malware can be seen from the very beginning of the installation as it immediately requests access for things that are not normally used by games, such as making phone calls or detecting the user's location. If the user grants permission for such access, the Cynos malware can send the following data to a remote server:
User's phone number
Device location based on GPS coordinates or mobile network and Wi-Fi access point data
Various mobile network parameters, such as network code and country code, as well as GSM ID and international GSM location area code
Various device technical specifications
Various parameters of the trojaned application metadata
Dr. The web has reported its findings to Huawei and malicious games containing the Cynos malware have been removed from the AppGallery. But users who have already downloaded it still have to delete it manually from their device.