Researchers have discovered a new information-stealing trojan targeting Android devices with a wide range of data exfiltration capabilities – from collecting browser queries to recording audio and phone calls.
While malware on Android has previously taken the guise of copycat apps, which have names similar to legitimate pieces of software, this sophisticated new malicious app masquerades as a System Update application to take control of compromised devices.
“The spyware will notify you if the device’s screen is turned off when it receives a command through the Firebase messaging service,” Zimperium researchers said in an analysis Friday. “The ‘Searching for update …’ is not a legitimate notification from the operating system, but the spyware.”
Once installed, the advanced spyware campaign begins its task by registering the device with a Firebase command-and-control (C2) server with information such as battery percentage, storage stats, and whether WhatsApp is installed on the phone, followed by collecting and exporting all data of interest to the server in the form of an encrypted ZIP file.
The spyware offers numerous capabilities with a focus on stealth, including tactics to steal contacts, browser bookmarks and search history, steal messages by exploiting accessibility services, record audio and phone calls, and take photos with the phone’s cameras. It can also track the location of the victim, search for files with specific extensions and pull data from the device’s clipboard.
“The functionality of the spyware and data exfiltration are activated under different circumstances, such as adding a new contact, receiving a new SMS or installing a new application using Android’s contentObserver and Broadcast receivers,” said the researchers.
In addition, the malware not only organizes the collected data in different folders in its private storage, but also wipes out any trace of malicious activity by deleting the ZIP files as soon as it receives a “success” message from the C2 server after exfiltration. In a further attempt to bypass detection and fly under the radar, the spyware also reduces bandwidth usage by uploading thumbnails as opposed to the actual images and videos present in external storage.
Although the “System Update” app has never been distributed through the official Google Play Store, the study once again shows how third-party app stores can harbor dangerous malware. The identity of the malware authors, the intended victims and the ultimate motive behind the campaign remains unclear for the time being.