Researchers have discovered a new sophisticated piece of Android malware that finds sensitive information stored on infected devices and sends it to attacker-managed servers.
The app disguises itself as a system update to be downloaded from a third-party store, researchers from security firm Zimperium said Friday. In fact, it is a remote access trojan that receives and executes commands from a command and control server. It offers a fully featured spy platform that performs a wide variety of malicious activities.
Soup to nuts
Zimperium listed the following possibilities:
- Stealing instant messenger messages
- Steal Instant Messenger database files (if root is available)
- Inspect the bookmarks and searches of the default browser
- Inspect the bookmark and search history from Google Chrome, Mozilla Firefox and Samsung Internet Browser
- Search for files with specific extensions (including .pdf, .doc, .docx and .xls, .xlsx)
- Inspection of the clipboard data
- Inspecting the content of the reports
- Record audio
- Record phone calls
- Take photos regularly (via the front or back camera)
- List of installed applications
- Stealing images and videos
- GPS location monitoring
- Stealing text messages
- Stealing phone contacts
- Stealing call logs
- Exfiltrate device information (eg Installed applications, device name, storage statistics)
- Hide its presence by hiding the icon in the drawer / menu of the device
Messaging apps vulnerable to database theft include WhatsApp, which is used by billions of people, often in the expectation of offering more confidentiality than other messengers. As noted, the databases are only accessible if the malware has root access to the infected device. Hackers can root infected devices when using older versions of Android.
If the malicious app does not acquire root, it can still collect WhatsApp conversations and message details by tricking users into enabling Android accessibility services. Accessibility services are controls built into the operating system that make it easier for users with visual impairments or other disabilities to use devices by, for example, adjusting the screen or having the device provide spoken feedback. Once accessibility services are enabled, the malicious app can scrape the content on the WhatsApp screen.
Another option is to steal files stored in the external storage of a device. To reduce the bandwidth usage that could alert a victim that a device is infected, the malicious app steals image thumbnails, which are much smaller than the images they correspond to. When a device is connected to Wi-Fi, the malware sends stolen data from all folders to the attackers. When only a cellular connection is available, the malware sends a more limited set of data.
As complete as the espionage platform is, it suffers from one major limitation, which is the inability to infect devices without first tricking users into making decisions that more experienced people know are not safe. First, users must download the app from an external source. As problematic as Google’s Play Store is, it’s generally a more reliable place to download apps. Users must also be socially designed to enable accessibility services for some advanced features to work.
Google declined to comment, except to reiterate that the malware was never available on Play.