Getty Images
The researchers discovered a new advanced piece of Android malware that finds sensitive information stored on infected devices and sends it to servers controlled by the attacker.
The app disguises itself as a system update that must be downloaded from a third-party store, researchers at security company Zimperium said on Friday. In fact, it is a remote access Trojan that receives and executes commands from a command and control server. It provides a full-featured espionage platform that performs a wide range of malicious activities.
Soup for nuts
Zimperium has listed the following features:
- Theft of instant messaging messages
- Theft of instant messaging database files (if root is available)
- Inspecting default browser bookmarks and searches
- Inspecting the bookmark and search history for Google Chrome, Mozilla Firefox and Samsung Internet browser
- Searching for files with specific extensions (including .pdf, .doc, .docx and .xls, .xlsx)
- Inspecting clipboard data
- Inspect the content of notifications
- Recording audio
- Recording calls
- Take photos periodically (through the front or rear cameras)
- List of installed applications
- Theft of images and videos
- Monitoring GPS location
- Theft of SMS messages
- Theft of telephone contacts
- Theft of call records
- Filtering out device information (for example, installed apps, device name, storage statistics)
- Hiding your presence by hiding the device’s drawer / menu icon
Messaging apps vulnerable to database theft include WhatsApp, which billions of people use, often with the expectation that it will provide more confidentiality than other messengers. As noted, databases can be accessed only if the malware has root access to the infected device. Hackers can root infected devices when they run older versions of Android.
If the malicious application does not acquire root, it can still collect details of WhatsApp conversations and messages, tricking users into enabling Android accessibility services. Accessibility services are controls integrated into the operating system that make it easier for users with visual impairments or other disabilities to use the devices, for example, by modifying the screen or by having the device provide spoken feedback. After accessibility services are enabled, the malicious application can scrape the contents of the WhatsApp screen.
Another feature is to steal files stored on a device’s external storage. To reduce bandwidth consumption that can alert the victim that a device is infected, the malicious application steals thumbnails of images, which are much smaller than the images to which they correspond. When a device is connected to Wi-Fi, the malware sends stolen data from all folders to attackers. When only a mobile connection is available, the malware sends a more limited set of data.
As complete as the spy platform may be, it suffers from an important limitation – namely, the inability to infect devices without first deceiving users into making decisions that more experienced people know are not safe. First, users must download the application from a third-party source. As problematic as the Google Play Store is, it is usually a more reliable place to get apps. Users must also undergo social engineering to enable accessibility services for some of the advanced features to work.
Google declined to comment, except to reiterate that the malware was never available on Play.