Malware analysts at an antivirus firm, Doctor Web have discovered dozens of games with a new class of malware on the Huawei AppGallery catalog, which is designed to collect users’ mobile phone numbers.

At least 9.3 million Android device owners have installed these dangerous games.

According to the analysts, the trojan classified as “’Android.Cynos.7.origin” is one of the modifications of the Cynos program module. This trojan was found in 190 games on AppGallery, like simulators, platformers, arcades, strategies, and shooters.

While some of these games targeted Russian-speaking users with Russian localization, titles, and descriptions, the others targeted Chinese or international users.

“This module can be integrated into Android apps to monetize them. This platform has been known since at least 2014. Some of its versions have quite aggressive functionality: they send premium SMS, intercept incoming SMS, download and launch extra modules, and download and install other apps,” states the report.

The apps that contain the Android.Cynos.7.origin ask users for permission to make and manage phone calls, which allows the trojan to gain access to certain data.

When the user grants permission, the trojan collects and sends the following information to a remote server:

  • User mobile phone number
  • Device location based on GPS coordinates or the mobile network and Wi-Fi access point data (when the application has permission to access location)
  • Various mobile network parameters, such as the network code and mobile country code; also, GSM cell ID and international GSM location area code (when the application has permission to access location)
  • Various technical specs of the device
  • Various parameters from the trojanized app’s metadata

At a glance, let’s have a look at the examples of games below in which this Trojan is embedded and have a large number of installations:

Hurry up and hide – 2,000,000 installs

Cat game room – 427,000 installs

Drive school simulator – 142,000 installs

“At first glance, a mobile phone number leak may seem like an insignificant problem. Yet in reality, it can seriously harm users, especially given the fact that children are the games’ main target audience,” the report added.

“Even if the mobile phone number is registered to an adult, downloading a child’s game may highly likely indicate that the child is the one who actually using the mobile phone. It is very doubtful that parents would want the above data about the phone to be transferred not only to unknown foreign servers, but to anyone else in general.”

On identifying the threats, Doctor Web informed Huawei Company about the same. All applications containing the trojan have now been removed from the AppGallery. However, users who have installed the apps on their Android devices will still have to remove them manually to prevent further misuse.

“AppGallery’s built-in security system swiftly identified the potential risk within these apps. We are now actively working with affected developers to troubleshoot their apps. Once we can confirm that the apps are all clear, they will be re-listed on AppGallery so consumers can download their favorite apps again and continue enjoying them,” a Huawei spokesperson told Bleeping Computer.

“Protecting network security and user privacy is Huawei’s priority. We welcome all third-party oversight and feedback to ensure we deliver on this commitment. We will continue to collaborate closely with our partners, and at the same time, employ the most advanced and innovative technologies to safeguard our users’ privacy.”