Security researchers have discovered a new data-stealing trojan that targets Android devices and has a slew of data-exfiltration features, including the ability to collect web searches and capture audio and phone calls.
Although Android based malware has previously disguised itself as copycat apps with names that sound close to legitimate applications, this sophisticated new malicious app poses as a System Update application to gain control of infected devices.
Zimperium researchers disclosed in a analysis “The spyware creates a notification if the device’s screen is off when it receives a command using the Firebase messaging service,”
“The ‘Searching for update..’ is not a legitimate notification from the operating system, but the spyware.”
Working Mechanism
Upon installation, the complex spyware operation begins by registering the device with a Firebase command-and-control (C2) server with vital data like storage stats, battery percentage, and whether the phone has been installed with WhatsApp. Then the spyware starts to export any data of interest to the server in the form of an encrypted ZIP file.
The spyware includes techniques to steal contacts, browser bookmarks, and search history, steal messages by manipulating accessibility programmes, capture audio and phone calls, and take pictures with the phone’s cameras, all with an emphasis on stealth. It can also monitor the victim’s location, look for files with unique extensions, and copy data from the clipboard from the device.
The researchers said “The spyware’s functionality and data exfiltration are triggered under multiple conditions, such as a new contact added, new SMS received or, a new application installed by making use of Android’s contentObserver and Broadcast receivers,”
Furthermore, the malware not only organises the collected data into several folders inside its private storage, but it also eliminates all signs of malicious activity by deleting the ZIP files as soon as it receives a “success” notification from the C2 server following exfiltration. In order to prevent detection and stay undetected, the spyware decreases its bandwidth usage by uploading thumbnails rather than the real images and videos stored on external storage.
Despite the fact that the “System Update” software was never released via the official Google Play Store, the findings indicate that third-party app stores can host dangerous malware. The identity of the malware developers, the victims who were targeted, and the campaign’s ultimate goal are still unknown.