A new malware with extensive spyware capabilities steals data from infected Android devices and is designed to automatically trigger whenever new info is ready to be exfiltrated.
The spyware gets installed as a ‘System Update’ app available via third-party Android app stores and is not available on Google’s Play Store.
So, the most experienced users are mostly likely to avoid installing the app, thereby limiting the number of devices it can infect. Also, the malware cannot infect other Android devices on its own.
This remote access trojan (RAT) which was first observed by security researchers at Zimperium, can collect and exfiltrate an extensive array of information to its command-and-control server.
It could steal data, messages, images and take control of Android phones. Once it gains control, the threat actors can record audio and phone calls, take photos, review browser history, access WhatsApp messages, and much more.
According to Zimperium, the extensive range of data theft capabilities of the spyware includes:
- Stealing instant messenger messages;
- Stealing instant messenger database files (if root is available);
- Inspecting the default browser’s bookmarks and searches;
- Inspecting the bookmark and search history from Google Chrome, Mozilla Firefox, and Samsung Internet Browser;
- Searching for files with specific extensions (including .pdf, .doc, .docx, and .xls, .xlsx);
- Inspecting the clipboard data;
- Inspecting the content of the notifications;
- Recording audio and phone calls;
- Periodically take pictures through the front or back cameras;
- Listing of the installed applications;
- Stealing images and videos;
- Monitoring the GPS location;
- Stealing SMS messages, phone contacts and call logs
- Exfiltrating device information (e.g., installed applications, device name, storage stats).
The malware after getting installed on an Android device will send several pieces of info to its Firebase command-and-control (C2) server, including storage stats, the internet connection type, and the presence of various apps such as WhatsApp.
It collects data directly if it has root access or will use Accessibility Services after tricking the victims into enabling the feature on the compromised device.
It will also scan the external storage for any stored or cached data, harvest it and deliver it to the C2 servers when the user connects to a Wi-Fi network.
However, unlike others, this malware gets triggered using Android’s contentObserver and Broadcast receivers only when some conditions are met, like the addition of a new contact, new text messages, or new apps being installed.
The malware will display fake “Searching for update..” system update notifications when it receives new commands from its masters to camouflage its malicious activity.
The spyware also conceals its presence on infected Android devices by hiding the icon from the menu.
To prevent being detected further, it will only steal thumbnails of videos and images it finds, thus reducing the victims’ bandwidth consumption to avoid drawing their attention to the background data exfiltration activity.
Also, this malware exfiltrates only the most recent data, collecting location data created and photos taken within the last few minutes.
Image Credits : Blackberry Blog