Android spyware disguised as 'system update' app discovered

This malware strain steals private messaging and location data while also recording phone calls

A sophisticated strain of malware capable of stealing user data from infected Android devices is masquerading as the System Update application.

The malicious mobile app, which functions as a Remote Access Trojan (RAT), is part of a sophisticated spyware campaign that has the ability to record audio from devices, take photos, and access WhatsApp messages, according to Zimperium researchers.

Once installed, it registers with its own Firebase command and control (C&C) server, normally used by legitimate Android developers, as well as a second independent C&C server, to send across an initial cache of information. This includes information about whether WhatsApp is installed or not, battery percentage, storage stats, and other information. It can only be installed from a third party store and not the Google Play store.

The malware then receives commands to initiate various actions such as the recording of audio from the microphone or data exfiltration. Researchers have also discovered the malware is capable of inspecting web browsing data, stealing images and videos, monitoring GPS locations, stealing phone contacts and call logs, and exfiltrating device information.

The device also asks permission to enable accessibility services, and abuses this to collect conversations and message details from WhatsApp by scraping the content on the screen after detecting whether the user is accessing the messaging service.

It hides by concealing the icon from the device’s main menu or app drawer, while also posing as the legitimate System Update app to avoid suspicion. When the device’s screen is turned off, the spyware creates a ‘searching for updates’ notification using the Firebase messaging service which allows it to generate push notifications.

The spyware’s functionality is triggered under various conditions, including when a new contact is added, a new text message is received or a new application installed. It does so by exploiting Android’s receivers including ‘contentObserver’ and ‘Broadcast’, which allows communication between the device and the server.

The Firebase messaging service is only used to initiate malicious functions, such as audio recording or data exfiltration, by sending commands to infected devices. The data itself is then collected by the second dedicated C&C server.

The spyware also only collects up-to-date information, with a refresh rate of roughly five minutes for location and networking data. The same applies to photos taken using the device’s camera, but the value is instead set to 40 minutes.

Researchers have so far been unable to determine who is behind the campaign, or whether the hackers are trying to target specific users. Given this spyware can only be downloaded outside of the Google Play store, users are strongly advised not to download applications to their phones from unsafe third-party sources.

Featured Resources

How to be an MSP: Seven steps to success

Building your business from the ground up

Download now

The smart buyer’s guide to flash

Find out whether flash storage is right for your business

Download now

How MSPs build outperforming sales teams

The definitive guide to sales

Download now

The business guide to ransomware

Everything you need to know to keep your company afloat

Download now

Recommended

HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021
2021 state of email security report: Ransomware on the rise
Whitepaper

2021 state of email security report: Ransomware on the rise

10 May 2021
Hackers used SonicWall zero-day flaw to plant ransomware
ransomware

Hackers used SonicWall zero-day flaw to plant ransomware

30 Apr 2021

Most Popular

KPMG offers staff 'four-day fortnight' in hybrid work plans
flexible working

KPMG offers staff 'four-day fortnight' in hybrid work plans

6 May 2021
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

29 Apr 2021
How to move Windows 10 from your old hard drive to SSD
operating systems

How to move Windows 10 from your old hard drive to SSD

30 Apr 2021