Android spyware with over 1.5 million downloads sends your data to China — delete these apps right now

A smartphone screen displaying the Android name and logo next to a sign reading 'MALWARE'.
(Image credit: rafapress/Shutterstock)

Cybersecurity analysts uncovered two file management apps available on the Google Play Store that are actually spyware, putting the privacy and security of up to 1.5 million Android users at risk. So if you have one of the best Android phones with these apps installed, delete them right away.

The fishy apps are File Recovery & Data Recovery and File Manager, according to an alert this week from Pradeo, a leading mobile cybersecurity company. The apps, both from the same developer, are programmed to launch without any input from the user and quietly send sensitive user data to servers based in China. 

File Recovery & Data Recovery was downloaded more than 1 million times, and roughly 500,000 people installed File Manager, according to screenshots of their respective Play Store pages shared in Pradeo's report. 

Screenshots of the File Manager and File Recovery and Data Recovery apps in the Google Play Store

(Image credit: Pradeo)

How your data may be at risk

Per Bleeping Computer, Google only recently kicked the apps off the Play Store. The developer behind both apps is listed as Wang Tom in the Play Store screenshots. So while you may find several apps named File Manager in the Play Store, only the one with the developer Wang Tom has been found to be spyware. 

The apps say they don't collect any data from the user's device, but it turns out this wasn't the case. Pradeo's behavioral analysis engine found the apps exfiltrate the following data: contacts saved in your device; email and social network contacts; pictures, audio and video compiled in the app; real-time user location; device brand and model; mobile country code; network provider name; and operating system version number. All without ever requesting permission to collect this information.

While the apps may have a legitimate reason to collect some of the data above to optimize performance and ensure compatibility across devices, most of it is not required for file management and data recovery operations. 

Even more alarming is the sheer amount of data being transferred while the user's none the wiser. Each app performs more than a hundred transmissions, "an amount that is so large it is rarely observed," Pradeo notes.

How the spyware hides in plain sight — and where to find it

Smartphone displaying skull and crossbones on screen.

(Image credit: Morrowind/Shutterstock)

The apps can also abuse the permissions the user approves during installation to restart the device and quietly launch in the background. And deleting them off your phone comes with its own hoops. The apps conceal their home screen icons to make uninstallation more of a hassle, as users have to go to their application list in the Settings menu to delete them.

So if you have either File Recovery & Data Recovery or File Manager installed and you don't see them on your home screen, head to your Settings menu ASAP to get rid of them. 

Again, the only app named File Recovery that Pradeo found to be spyware lists the developer as Wang Tom. Other apps titled File Recovery that you may come across in the Play Store should be fine, but read on to learn more about how to best protect your device from these kinds of tactics moving forward.  

How to stay safe from Android malware

Unfortunately, cybersecurity is like fighting a hydra. You cut off one head, and 10 more pop up in its place. If you're wondering how to best keep your phone protected from malicious apps on Android, consider equipping it with one of the best Android antivirus apps. Not only can they shield your handheld from spyware and malware, but they can also keep you safe from becoming a victim of identity theft. 

Even legitimate or seemingly innocent-looking Android apps can become compromised by bad actors. In April, a report found malicious loader programs bought on the dark web are enabling hackers to hide malware in legitimate apps to get around Google's defenses and end up on the Play Store. Also known as dropper apps, these programs often present themselves as legitimate software. But once they've cleared the Play Store's review process, they then receive malicious updates from a hacker-controlled server. Their creators often wait until the apps have a large user base before pushing a malware-infected update out to target the most users as possible. 

Google rolled out several new updates to its Android ecosystem in June, including a handy little security feature that lets you see if your Gmail address has been exposed on the dark web.

More from Tom's Guide

Alyse Stanley
News Editor

Alyse Stanley is a news editor at Tom’s Guide overseeing weekend coverage and writing about the latest in tech, gaming and entertainment. Prior to joining Tom’s Guide, Alyse worked as an editor for the Washington Post’s sunsetted video game section, Launcher. She previously led Gizmodo’s weekend news desk, where she covered breaking tech news — everything from the latest spec rumors and gadget launches to social media policy and cybersecurity threats.  She has also written game reviews and features as a freelance reporter for outlets like Polygon, Unwinnable, and Rock, Paper, Shotgun. She’s a big fan of horror movies, cartoons, and miniature painting.

  • WickedStepMom
    I find that there are FILE MANAGER apps still on the Google Play Store so how do I really determine if what I have on my Android is safe or not?
  • wayfr68
    I don't know how many people don't do this when they uninstall apps, but everyone I know says they've never even heard of doing this, but before uninstalling apps, go into the device Settings, Apps, select the app from the list, then usually at the bottom, Force Stop or Force Close it, then scroll back up to Storage and click it, then click on Clear Data. You don't need to Clear the Cache since Clear Data automatically takes care of that. After that, it's ok to uninstall it.
    Force Stop or Force Close
    Clear Data
    Following these quick, easy and painless steps are the only way to insure that there aren't any residual traces of the app left that are still infecting other apps and/or settings and still collecting info. I'm sure you can also boot into Recovery Mode and do a much deeper uninstall, but I haven't played around in recovery mode for several years and I've forgotten so much about it.
  • emismailkhan
    I use Xiaomi device actually made by china. I see very permission of miui ROM file manager. Heard alot about Chinese hakars so thinking now about privacy. 🤔
  • 1st Tom's Guide dude
    Use Malwarebytes!