Researchers have discovered a new Trojan horse that steals information, which targets Android devices with an onslaught of data exfiltration features – from collecting browser searches to recording audio and phone calls.
Although malware on Android previously disguised itself as impersonator apps, which have names similar to legitimate pieces of software, this new, sophisticated and malicious app disguises itself as a system update application to take control of compromised devices.
“Spyware creates a notification if the device’s screen is off when it receives a command using the Firebase messaging service,” Zimperium researchers said in an analysis on Friday. “‘Searching for update ..’ is not a legitimate notification of the operating system, but of spyware.”
Once installed, the sophisticated spyware campaign begins its task by registering the device with a command and control server (C2) Firebase with information such as battery percentage, storage statistics and whether the phone has WhatsApp installed, followed by accumulation and export any data of interest to the server in the form of an encrypted ZIP file.
Spyware features a myriad of features with a focus on stealth, including tactics to steal contacts, browser favorites and search history, steal messages abusing accessibility services, record audio and phone calls, and take photos using the phone’s cameras. It can also track the victim’s location, search for files with specific extensions and obtain data from the device’s clipboard.
“Spyware functionality and data exfiltration are triggered under various conditions, such as a new contact added, a new SMS received or a new application installed using Android’s contentObserver and Broadcast receivers,” said the researchers.
Furthermore, the malware not only organizes the data collected in various folders within its private storage, but also erases any trace of malicious activity, deleting the ZIP files as soon as it receives a “success” message from the C2 server after exfiltration. In an attempt to evade detection and fly under the radar, spyware also reduces bandwidth consumption by uploading thumbnails instead of actual images and videos on external storage.
While the “System Update” app has never been distributed through the official Google Play Store, the survey highlights yet again how third-party app stores can harbor dangerous malware. The identity of the malware authors, the victims targeted and the final reason behind the campaign are still unclear.