Security researchers say a powerful new Android malware disguised as a critical system update can take complete control of the victim’s device and steal his data.
The malware was found packaged in an application called “System Update” that had to be installed outside of Google Play, the app store for Android devices. Once installed by the user, the application steals and sneaks data from the victim’s device to the operator’s servers.
Researchers at the mobile security company Zimperium, which discovered the malicious application, said that once the victim installs the malicious application, the malware communicates with the operator’s Firebase server, used to remotely control the device.
Spyware can steal messages, contacts, device details, browser favorites and search history, record calls and microphone sound and take photos using the phone’s cameras. The malware also tracks the victim’s location, searches for document files, and obtains data copied from the device’s clipboard.
The malware hides from the victim and tries to escape the capture by reducing the amount of network data it consumes by uploading thumbnails to the attacker’s servers, instead of the entire image. The malware also captures the most up-to-date data, including location and photos.
Zimperium CEO Shridhar Mittal said the malware was probably part of a targeted attack.
“It is easily the most sophisticated we have seen,” said Mittal. “I think a lot of time and effort was spent creating this app. We believe that there are other apps like this and we are doing our best to find them as soon as possible. “
A screenshot of the malware masquerading as a system update running on an Android phone. The malware can take complete control of an affected device. (Image: Zimperium)
Tricking someone to install a malicious application is a simple but effective way to compromise the victim’s device. That’s why Android devices warn users not to install apps from outside the app store. But many older devices don’t run the latest apps, forcing users to trust older versions of their apps from bootleg app stores.
Mittal confirmed that the malicious application was never installed on Google Play. When reached, a Google spokesman declined to comment on the steps the company was taking to prevent the malware from entering the Android app store. Google has seen malicious apps pass through its filters before.
This type of malware has far-reaching access to the victim’s device, comes in a variety of forms and names, but basically does the same thing. In the early days of the Internet, remote access Trojans, or RATs, allowed eavesdroppers to spy on victims through their webcams. Nowadays, child monitoring applications are often reused to spy on a person’s spouse, known as stalkerware or spouseware.
Last year, TechCrunch reported on the KidsGuard stalkerware – apparently a child monitoring application – that used a similar “system update” to infect victims’ devices.
But the researchers don’t know who created the malware or who it is for.
“We are starting to see an increasing number of RATs on mobile devices. And the level of sophistication seems to be rising, it seems that criminals have realized that mobile devices have the same amount of information and are much less protected than traditional terminals, ”said Mittal.
Send tips securely through Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using SecureDrop.