Servers controlled by Chinese IT and services giant Hangzhou Shunwang Technology collect phone contact lists, geolocation, and QQ messenger login info through a data-stealing component present in up to a dozen Android apps available from major third-party stores in the country.
The code that steals the information hides in a data analytics Software Development Kit (SDK) integrated into seemingly benign apps and delivers the scraped details whenever the phone reboots or the infected app starts.
Researchers believe that gathering end users' contact lists is likely to happen without app developers knowing about it.