Researchers have discovered a new information-stealing Trojan targeting Android devices with an attack of data filtering capabilities – from collecting browser searches to recording audio and phone calls.
While Android malware has previously taken over the mask of copied applications, which bear similar names to legitimate software, this sophisticated new malicious application disguises itself as a system update application to take control of compromised devices.
“The spy creates a notification if the device screen is turned off when it receives an order using the Firebase messaging service,” Zimperium researchers said in an analysis on Friday. “The update check is not a legitimate notification from the operating system, but a spyware.”
Once installed, the sophisticated spyware campaign sets its task by registering the device with a Firebase (C2) command and control server with information such as battery percentage, storage statistics and whether the phone has WhatsApp installed, followed by accumulating and exporting any data of interest. for the server as an encrypted ZIP file.
Spyware offers many stealth-focused capabilities, including tactics for throwing away contacts, browser bookmarks and search history, stealing messages abusing accessibility services, recording sounds and phone calls, and taking photos using the phone’s cameras. It can also track the victim’s location, search for files with specific extensions, and retrieve data from the device’s clipboard.
“Spyware functionality and data leakage are triggered under multiple conditions, such as a new contact added, a new SMS received, or a new app installed using the Android Broadcast content receiver and observer,” the researchers said.
Moreover, the malware not only organizes the data collected in several folders from its private storage space, but also deletes any trace of malicious activity by deleting the ZIP files as soon as it receives a “success” message from the C2 server after exfiltration. In another attempt to circumvent detection and fly under the radar, spyware also reduces bandwidth consumption by uploading thumbnails, as opposed to actual images and videos in external storage.
Although the “System Update” app has never been distributed through the official Google Play Store, the research once again highlights how third-party app stores can harbor dangerous malware. The identity of the perpetrators of the malware, the targeted victims and the final motive behind the campaign remain unclear.