Researchers have discovered a new information-stealing Trojan, which targets Android devices with an avalanche of data exfiltration capabilities, from collecting browser searches to recording audio and phone calls.
While malware on Android has previously disguised itself as copycat apps, which have similar names to legitimate pieces of software, this sophisticated new malicious app masquerades as a system update app to take control of compromised devices.
“Spyware creates a notification if the device screen is off when it receives a command using the Firebase messaging service,” Zimperium researchers said in an analysis on Friday. “The ‘Checking for update …’ is not a legitimate notification from the operating system, but from spyware.”
Once installed, the sophisticated spyware campaign begins its task by registering the device with a Firebase command and control (C2) server with information such as battery percentage, storage statistics, and whether the phone has WhatsApp installed, followed by the accumulate and export any data of interest to the server in the form of an encrypted ZIP file.
Spyware features myriad capabilities with a focus on stealth, including tactics to steal contacts, browser bookmarks and search history, steal messages by abusing accessibility services, record audio and phone calls, and take photos with the phone’s cameras. . It can also track the victim’s location, search for files with specific extensions, and get data from the device’s clipboard.
“The spyware functionality and data exfiltration are activated under multiple conditions, such as a new contact added, a new SMS received, or a new application installed using the Android contentObserver and Broadcast receivers,” the researchers said.
Furthermore, the malware not only organizes the collected data in various folders within its private storage, but also removes any traces of malicious activity by deleting the ZIP files as soon as it receives a “success” message from the C2 server after exfiltration. . In a further attempt to evade detection and go unnoticed, spyware also reduces your bandwidth consumption by loading thumbnails instead of the actual images and videos present on external storage.
Although the “System Update” application was never distributed through the official Google Play store, the research once again highlights how third-party application stores can harbor dangerous malware. The identity of the malware authors, the targeted victims, and the ultimate motive for the campaign are still unclear.