Android spyware disguised as 'system update' app discovered

This malware strain steals private messaging and location data while also recording phone calls

A sophisticated strain of malware capable of stealing user data from infected Android devices is masquerading as the System Update application.

The malicious mobile app, which functions as a Remote Access Trojan (RAT), is part of a sophisticated spyware campaign that has the ability to record audio from devices, take photos, and access WhatsApp messages, according to Zimperium researchers.

Once installed, it registers with its own Firebase command and control (C&C) server, normally used by legitimate Android developers, as well as a second independent C&C server, to send across an initial cache of information. This includes information about whether WhatsApp is installed or not, battery percentage, storage stats, and other information. It can only be installed from a third party store and not the Google Play store.

The malware then receives commands to initiate various actions such as the recording of audio from the microphone or data exfiltration. Researchers have also discovered the malware is capable of inspecting web browsing data, stealing images and videos, monitoring GPS locations, stealing phone contacts and call logs, and exfiltrating device information.

The device also asks permission to enable accessibility services, and abuses this to collect conversations and message details from WhatsApp by scraping the content on the screen after detecting whether the user is accessing the messaging service.

It hides by concealing the icon from the device’s main menu or app drawer, while also posing as the legitimate System Update app to avoid suspicion. When the device’s screen is turned off, the spyware creates a ‘searching for updates’ notification using the Firebase messaging service which allows it to generate push notifications.

The spyware’s functionality is triggered under various conditions, including when a new contact is added, a new text message is received or a new application installed. It does so by exploiting Android’s receivers including ‘contentObserver’ and ‘Broadcast’, which allows communication between the device and the server.

The Firebase messaging service is only used to initiate malicious functions, such as audio recording or data exfiltration, by sending commands to infected devices. The data itself is then collected by the second dedicated C&C server.

The spyware also only collects up-to-date information, with a refresh rate of roughly five minutes for location and networking data. The same applies to photos taken using the device’s camera, but the value is instead set to 40 minutes.

Researchers have so far been unable to determine who is behind the campaign, or whether the hackers are trying to target specific users. Given this spyware can only be downloaded outside of the Google Play store, users are strongly advised not to download applications to their phones from unsafe third-party sources.

Featured Resources

Preparing for AI-enabled cyber attacks

MIT technology review insights

Download now

Cloud storage performance analysis

Storage performance and value of the IONOS cloud Compute Engine

Download now

The Forrester Wave: Top security analytics platforms

The 11 providers that matter most and how they stack up

Download now

Harness data to reinvent your organisation

Build a data strategy for the next wave of cloud innovation

Download now

Recommended

New malware uses search engine ads to target pirate gamers
malware

New malware uses search engine ads to target pirate gamers

21 Jul 2021
HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021

Most Popular

UK gov considers blocking Nvidia's takeover of Arm
Acquisition

UK gov considers blocking Nvidia's takeover of Arm

4 Aug 2021
RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021
Preparing for AI-enabled cyber attacks
Whitepaper

Preparing for AI-enabled cyber attacks

22 Jul 2021