Android device users are being targeted by a sophisticated spyware app that disguises itself as a “system update” application, a mobile security firm Zimperium zLabs has said.
The new malware disguises itself as a System Update application, and is stealing data, Inspecting notifications and monitoring messages, images and taking control of android phones.
Once in control, hackers can record audio and phone calls, take photos, review browser history, access WhatsApp messages.
The app can also monitor your GPS location, steal SMS messages and exfiltrate device information, international news outlet, Gizmodo, reported
The “System Update” app was discovered by Zimperium researchers, who have classified it as a Remote Access Trojan (RAT)—a broad category of malware that typically allows a hacker to access and manipulate your device from afar.
“Following an investigation, we discovered it to be a sophisticated spyware campaign with complex capabilities. We also confirmed with Google that the app was not and has never been on Google Play,” the mobile security firm said.
“This particular RAT is downloaded with the promise of helping you keep your device up to date but, instead, sends all your information back to a Command & Control server,” Gizmodo quoted Shridhar Mittal, Zimperium CEO, as saying.
“It’s easily the most sophisticated [RAT] we’ve seen,” Mr Mittal told the outlet. “I think a lot of time and effort was spent on creating this app. We believe that there are other apps out there like this, and we are trying our very best to find them as soon as possible.”
How does it works
According to Zimperium, upon installation (from a third party store, not Google Play Store), the device gets registered with the Firebase Command and Control (C&C).
It extracts details such as the presence or absence of WhatsApp, battery percentage, storage stats, the token received from the Firebase messaging service, and the type of internet connection.
The malware gives options to update the mentioned device information exist as “update” and “refreshAllData,” the difference being, in “update,” the device information alone is being collected and sent to C&C, whereas in “refreshAllData,” a new Firebase token is also generated and exfiltrated.
“The spyware’s functionality and data exfiltration are triggered under multiple conditions, such as a new contact added, new SMS received or, a new application installed by making use of Android’s contentObserver and Broadcast receivers.
“Commands received through the Firebase messaging service initiate actions such as recording of audio from the microphone and exfiltration of data such as SMS messages.
“The Firebase communication is only used to issue the commands, and a dedicated C&C server is used to collect the stolen data by using a POST request.”
PREMIUM TIMES