New Android malware attacks devices masquerading as a “system update”

Get a free Techzine subscription!

The spyware can take complete control of the user’s device.

Researchers at Zimperium have discovered a new type of malware that attacks Android devices. They found the spyware hidden in an app called “System Update”. The app had to be installed outside of Google Play, the store where most apps for Android devices are distributed. After installation the malware hides itself while stealing data from the victim’s device and sending it to the malefactor’s servers.

The spyware steals messages, contacts, device details, browser bookmarks and search history, record calls and ambient sound from the microphone. It can even take photos using the phone’s cameras. The malware also tracks the victim’s location and reports it back to its operator. All the while, the app searches for document files and snatches copied data from the device’s clipboard.

How it works

Asim Yaswant, a security researcher at Zimperium, detailed the new malware threat in a blog post on March 26. “The mobile application poses a threat to Android devices by functioning as a Remote Access Trojan (RAT),” he explains.

It installs itself with the Firebase C&C with details such as the presence or absence of WhatsApp, battery percentage, storage stats, the token received from the Firebase messaging service, and the type of internet connection. The app then receives and executes commands to collect and exfiltrate a wide range of data. It also performs a wide range of malicious actions.

Options to update the mentioned device information exist as “update” and “refreshAllData.” But in the malware’s “update,” the device information alone is being collected and sent to C&C. Then, in “refreshAllData,” a new Firebase token is also generated and exfiltrated. 

Yaswant says the spyware exhibits a rarely seen before feature: stealing thumbnails of videos and images. This is in addition to the usage of a combination of Firebase and a dedicated Command & Control server for receiving commands and exfiltrate data.

Zimperium CEO Shridhar Mittal said the malware was part of a trend. “We are starting to see an increasing number of RATs on mobile devices,” he said. “And the level of sophistication seems to be going up. It seems like the bad actors have realized that mobile devices have just as much information on them and are much less protected than the traditional endpoints,” he added.