Chinese developers expose data belonging to Android gamers

In the end, Hong Kong CERT was contacted in an attempt to resolve the security issue.
Written by Charlie Osborne, Contributing Writer

The Chinese developers of popular Android gaming apps exposed information belonging to users through an unsecured server.

In a report shared with ZDNet, vpnMentor's cybersecurity team, led by Noam Rotem and Ran Locar, revealed EskyFun as the owner of a 134GB server exposed and made public online.

EskyFun is the developer of Android games including Rainbow Story: Fantasy MMORPG, Adventure Story, The Legend of the Three Kingdoms, and Metamorph M.

On Thursday, the team said that users of the following games were involved in the data leak: Rainbow Story: Fantasy MMORPG, Metamorph M, and Dynasty Heroes: Legends of Samkok. Together, they account for over 1.6 million downloads.  

In total, the team said that an alleged 365,630,387 records contained data from June 2021 onward, leaking user data collected on a seven-day rolling system.

The team says that the developers impose "aggressive and deeply troubling tracking, analytics, and permissions settings" when their software is downloaded and installed, and as a result, the variety of data collected was, perhaps, far more than you would expect mobile games to require. 

The records included IP and IMEI numbers, device information, phone numbers, the OS in use, mobile device event logs, whether or not a handset was rooted; game purchase and transaction reports, email addresses, EskyFun account passwords stored in plaintext, and support requests, among other data. 


vpnMentor suspects that up to, or more than, one million users may have had their information exposed. 

The unsecured server was discovered on July 5 and EskyFun was contacted two days later. However, after receiving no response, vpnMentor made a second attempt on July 27. 

Continued silence required the team to also reach out to Hong Kong CERT and the server was secured on July 28. 

"Much of this data was incredibly sensitive, and there was no need for a video game company to be keeping such detailed files on its users," the researchers commented. "Furthermore, by not securing the data, EskyFun potentially exposed over one million people to fraud, hacking, and much worse."

ZDNet has reached out to EskyFun and we will update when we hear back.

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards