Over 9 million Android Devices Infected by Trojan Disguised as Game Apps

An info-stealing trojan has found its way onto more than 9 million Android devices through Huawei’s AppGallery app store. Over 190 different apps were infected with the trojan and were then downloaded around 9.3 million times by unsuspecting users.

The trojan was discovered by Dr. Web – software developed by a Russian anti-malware company called Doctor Web. Dr.Web identified the trojan as “Android.Cynos.7.origin,” a modified version of the Cynos malware designed to collect sensitive user information.
Huawei acted quickly, deleted all affected apps from their store, and started working with developers to fix vulnerabilities with their apps.

“AppGallery’s built-in security system swiftly identified the potential risk within these apps. We are now actively working with affected developers to troubleshoot their apps. Once we can confirm that the apps are all clear, they will be re-listed on AppGallery so consumers can download their favorite apps again and continue enjoying them.

Protecting network security and user privacy is Huawei’s priority. We welcome all third-party oversight and feedback to ensure we deliver on this commitment. We will continue to collaborate closely with our partners, and at the same time, employ the most advanced and innovative technologies to safeguard our users’ privacy,” said a spokesperson for the company via Bleeping Network.

However, while the apps are removed from the store, they are still installed on many devices. If
you happen to own a Huawei device, you may want to check this list and make sure you don’t have any of the affected apps installed.


Cyber Threat Hunting is an essential exercise to proactively investigate potential compromises, detect advanced threats, and improve cyber defenses. Our experts orchestrate an exhaustive and iterative process with purpose-built tools to conduct manual and semi-automated series of searches for Indicators of Compromise (IOC) and Initial Vectors of Compromise (IVOC).


When installing any app, no matter which platform you’re using, take note of the permissions the app is asking from you to allow. If the permissions don’t make sense for that type of app, it very well may be infected.

In the case of Android.Cynos.7.origin, once you grant it permission, it collects personal data such as:

  • Phone number
  • Device location
  • Device technical specs and other information and sends it to a remote server.

The trojan infected many types of apps, such as driving simulators, shooting games, RTS games, and more, and found its way on apps made for different markets like Russia, China, and Global.
One of the apps made for the Chinese market – 快点躲起来 (Hurry up and hide) was downloaded 2 million times.

Since the apps worked as they should and according to their advertised functionality, users were unlikely to uninstall them if they enjoyed the game. Some of the apps that were infected are legit, while others were created specifically to spread the malware.

The Cynos malware that this trojan is based on has been around since 2014 and is capable of many malicious activities, including spying on texts, installing apps, intercepting SMS messages, and installing payloads.