New malware with extensive spyware capabilities steals data from infected Android devices and is designed to be triggered automatically whenever new information is read to be filtered out.
Spyware can only be installed as a ‘System Update’ application available from third-party Android app stores, as it has never been available on the Google Play Store.
This dramatically limits the number of devices it can infect, as more experienced users are likely to avoid installing it.
The malware also lacks a method for infecting other Android devices on its own, increasing its limited spreading capacity.
Steals almost everything
However, when it comes to stealing your data, this remote access trojan (RAT) can collect and filter a wide range of information for your command and control server.
The Zimperium researchers who spotted him watched him while “stealing data, messages, images and controlling Android phones”
“Once in control, hackers can record audio and phone calls, take pictures, review their browser history, access WhatsApp messages and more,” they added.
Zimperium said its wide range of data theft features includes:
- Theft of instant messaging messages;
- Theft of instant messaging database files (if root is available);
- Inspecting the default browser bookmarks and searches;
- Inspecting the bookmark and search history for Google Chrome, Mozilla Firefox and Samsung Internet Browser;
- Search for files with specific extensions (including .pdf, .doc, .docx and .xls, .xlsx);
- Inspecting the clipboard data;
- Inspect the content of notifications;
- Audio recording;
- Telephone call recording;
- Take photos periodically (through the front or rear cameras);
- List of installed applications;
- Theft of images and videos;
- Monitoring the GPS location;
- Theft of SMS messages;
- Theft of telephone contacts;
- Theft of call records;
- Filtering out device information (for example, installed apps, device name, storage statistics).
Once installed on an Android device, the malware will send various information to the Firebase command and control server (C2), including storage statistics, the type of Internet connection and the presence of various applications, such as WhatsApp.
Spyware collects data directly if it has root access or will use Accessibility Services after deceiving victims to enable the feature on the compromised device.
It will also scan external storage for stored or cached data, collect and deliver to C2 servers when the user connects to a Wi-Fi network.
Hides in plain sight
Unlike other malware designed to steal data, it will be triggered using Android’s contentObserver and Broadcast receivers only when certain conditions are met, such as adding a new contact, new text messages or new applications being installed.
“The commands received through the Firebase messaging service initiate actions such as recording audio from the microphone and exfiltrating data as SMS messages,” said Zimperium.
“Firebase communication is used only to issue commands, and a dedicated C&C server is used to collect stolen data using a POST request.”
The malware also displays fake system update notifications “Looking for an update” when it receives new commands from its masters to camouflage its malicious activity.
Spyware also hides its presence on infected Android devices by hiding the drawer / menu icon.
To further avoid detection, it will only steal thumbnails of videos and images it finds, thereby reducing victims’ bandwidth consumption to avoid drawing their attention to background data exfiltration activity.
Unlike other malware that collects data in bulk, it will also ensure that it will only exfiltrate the most recent data, collecting location data created and photos taken in the last few minutes.
Indicators of compromise, including sample malware hashes and C2 server addresses used during this spyware, are available at the end of Zimperium report.