Doctor Web malware analysts found the Android.Cynos.7.origin in 190 games on AppGallery, like simulators, platformers, arcades, strategies, and shooters. More than 9.300.000 users have downloaded these games combined (the number of installations is calculated based on the number of downloads listed on the AppGallery for each app). Some of these games target Russian-speaking users: they have Russian localization, titles, and descriptions. Others target Chinese or international audiences.

Doctor Web malware analysts discovered dozens of games on the AppGallery catalog that have an Android.Cynos.7.origin Trojan built into them. Android.Cynos.7.origin is the detection name for one of the versions of the Cynos software modules. They can be embedded into Android apps to monetize them. This modification’s main functionality is to collect information about users and their mobile devices and display ads. This platform has been known since at least 2014. Some of its versions have quite aggressive functionality: they send premium SMS, intercept incoming SMS, download and launch extra modules, and download and install other apps. The main functionality of the version discovered by our malware analysts is collecting the information about users and their devices and displaying ads.
The apps that contain the Android.Cynos.7.origin ask users for permission to make and manage phone calls. That allows the Trojan to gain access to certain data.
When the user grants permission, the Trojan collects and sends the following information to a remote server:
- User mobile phone number
- Device location based on GPS coordinates or the mobile network and Wi-Fi access point data (when the application has permission to access location)
- Various mobile network parameters, such as the network code and mobile country code; also, GSM cell ID and international GSM location area code (when the application has permission to access location)
- Various technical specs of the device
- Various parameters from the trojanized app’s metadata

At first glance, a mobile phone number leak may seem like an insignificant problem. Yet in reality, it can seriously harm users, especially given the fact that children are the games’ main target audience.
Even if the mobile phone number is registered to an adult, downloading a child’s game may highly likely indicate that the child is the one who actually using the mobile phone. It is very doubtful that parents would want the above data about the phone to be transferred not only to unknown foreign servers, but to anyone else in general.