Google Play started rolling out privacy-focused "nutrition labels" last year to help users know what data apps collect even before downloading.
However, it appears that bad actors and developers have found a way to dodge the system to steal users' data.
According to cybersecurity analysts at mobile cybersecurity company, Pradeo, two apps on Google Play were found with spyware sending data to malicious servers based in China.
The firm notes that over 10 lakh users are affected by spyware-laden apps. It added that the app's download pages stated they didn't collect data.
In a blog post, the cybersecurity firm states that it has alerted Google of the discovery.
The two apps with Chinese spyware are File Recovery and data recovery and File Manager.
Both are published by the same developer, named Wang Tom.
As the names suggest, the app helps users to manage data and, in some cases, retrieve deleted files from your phone tablets, or any Android devices.
Users are advised to delete the apps if they are still using them.
As mentioned, the apps somehow skipped adding Google Play's rule for apps to declare the data they collect.
The research firm suggests that these were collecting data, including users' contact lists from the device itself and from all connected accounts, real-time user location, mobile country code, network provider name, network code of the SIM provider, and device brand and model.
The spyware-laden Android apps likely passed the Google Play Security check as they offer seemingly legitimate services.
The research firm suggests that users must see reviews before downloading apps.
In many cases, apps are shown with high download counts, but no reviews raise red flags.
The firm also notes that users must "carefully read permissions before accepting them."