Researchers have discovered a new information-stealing trojan, which targets Android devices with an onslaught of data-exfiltration capabilities — from collecting browser searches to recording audio and phone calls.
While malware on Android has previously taken the guise of copycat apps, which go under names similar to legitimate pieces of software, this sophisticated new malicious app masquerades itself as a System Update application to take control of compromised devices.
“The spyware creates a notification if the device’s screen is off when it receives a command using the Firebase messaging service,” Zimperium researchers said in a Friday analysis. “The ‘Searching for update..’ is not a legitimate notification from the operating system, but the spyware.”
Once installed, the sophisticated spyware campaign sets about its task by registering the device with a Firebase command-and-control (C2) server with information such as battery percentage, storage stats, and whether the phone has WhatsApp installed, followed by amassing and exporting any data of interest to the server in the form of an encrypted ZIP file.
The spyware features myriad capabilities with a focus on stealth, including tactics to pilfer contacts, browser bookmarks, and search history, steal messages by abusing accessibility services, record audio, and phone calls, and take photos using the phone’s cameras. It can also track the victim’s location, search for files with specific extensions, and grab data from the device’s clipboard.
“The spyware’s functionality and data exfiltration are triggered under multiple conditions, such as a new contact added, new SMS received or, a new application installed by making use of Android’s contentObserver and Broadcast receivers,” the researchers said.
What’s more, the malware not only organizes the collected data into several folders inside its private storage, it also wipes out any trace of malicious activity by deleting the ZIP files as soon as it receives a “success” message from the C2 server post exfiltration. In a further bid to evade detection and fly under the radar, the spyware also reduces its bandwidth consumption by uploading thumbnails as opposed to the actual images and videos present in external storage.
Although the “System Update” app was never distributed through the official Google Play Store, the research once again highlights how third-party app stores can harbor dangerous malware. The identity of the malware authors, the targeted victims, and the ultimate motive behind the campaign remains unclear as yet.