The new malware with extensive spyware capabilities steals data from infected Android devices and is designed to activate automatically whenever new information is read for exfiltration.
Spyware can only be installed as a ‘System Update’ app available through third-party Android app stores, as it was never available on the Google Play Store.
This drastically limits the number of devices it can infect, as more experienced users will likely avoid installing it in the first place.
The malware also lacks a method of infecting other Android devices on its own, adding to its limited spreading capabilities.
Robberies almost all
However, when it comes to stealing your data, this Remote Access Trojan (RAT) can collect and exfiltrate a wide range of information to its command and control server.
The Zimperium researchers who detected it observed it while “stealing data, messages, images and taking control of Android phones.”
“Once in control, hackers can record audio and phone calls, take photos, check browser history, access WhatsApp messages and more,” they added.
Zimperium said its wide range of data theft capabilities include:
- Steal instant messaging messages;
- Steal IM database files (if root is available);
- Inspect the bookmarks and searches of the default browser;
- Inspect search history and bookmarks of Google Chrome, Mozilla Firefox, and Samsung Internet browser;
- Search for files with specific extensions (including .pdf, .doc, .docx and .xls, .xlsx);
- Inspect the clipboard data;
- Inspect the content of notifications;
- Audio recording;
- Telephone call recording;
- Take pictures periodically (either through the front or rear camera);
- List of installed applications;
- Steal images and videos;
- GPS location monitoring;
- Steal SMS messages;
- Steal phone contacts;
- Steal call logs;
- Extract device information (eg installed applications, device name, storage statistics).
Once installed on an Android device, the malware will send various data to its Firebase command and control (C2) server, including storage statistics, type of internet connection, and the presence of various applications such as WhatsApp.
The spyware collects data directly if it has root access or it will use the accessibility services after tricking the victims into enabling the feature on the compromised device.
It will also scan the external storage for stored or cached data, collect it and deliver it to the C2 servers when the user connects to a Wi-Fi network.
Hides in plain sight
Unlike other malware designed to steal data, this one will be activated using Android’s contentObserver and Broadcast receivers only when certain conditions are met, such as adding a new contact, new text messages, or installing new applications.
“Commands received through the Firebase messaging service initiate actions such as recording audio from the microphone and leaking data such as SMS messages,” said Zimperium.
“Firebase communication is only used to issue the commands, and a dedicated C&C server is used to collect the stolen data via a POST request.”
The malware will also display fake “Looking for update …” system update notifications when it receives new commands from its masters to disguise its malicious activity.
Spyware also hides its presence on infected Android devices by hiding the drawer / menu icon.
To further evade detection, it will only steal thumbnails of videos and images that it finds, thus reducing the bandwidth consumption of victims to avoid drawing their attention to background data exfiltration activity.
Unlike other malware that collects data in bulk, this one will also make sure that it extracts only the most recent data, collecting location data created and photos taken in the last few minutes.
Indicators of compromise, including malware sample hashes and C2 server addresses used during this spyware, are available at the end of Zimperium Report.