A new Android spyware masquerades as a ‘system update’

Security researchers say a absolute new Android malware masquerading as a vicious complement refurbish can take finish control of a victim’s device and take their data.

The malware was found bundled in an app called “System Update” that had to be commissioned outward of Google Play, a app store for Android devices. Once commissioned by a user, a app hides and secretly exfiltrates information from a victim’s device to a operator’s servers.

Researchers during mobile confidence organisation Zimperium, that detected a antagonistic app, pronounced once a plant installs a antagonistic app, a malware communicates with a operator’s Firebase server, used to remotely control a device.

The spyware can take messages, contacts, device details, browser bookmarks and hunt history, record calls and ambient sound from a microphone, and take photos regulating a phone’s cameras. The malware also marks a victim’s location, searches for request files, and grabs copied information from a device’s clipboard.

The malware hides from a plant and tries to hedge constraint by shortening how many network information it consumes by uploading thumbnails to a attacker’s servers rather than a full image. The malware also captures a many present data, including plcae and photos.

Zimperium CEO Shridhar Mittal pronounced a malware was expected partial of a targeted attack.

“It’s simply a many worldly we’ve seen,” pronounced Mittal. “I consider a lot of time and bid was spent on formulating this app. We trust that there are other apps out there like this, and we are perplexing a really best to find them as shortly as possible.”

A screenshot of a malware masquerading as a complement refurbish using on an Android phone. The malware can take full control of an influenced device. (Image: Zimperium)

Tricking someone into installing a antagonistic app is a elementary though effective approach to concede a victim’s device. It’s because Android inclination advise users not to implement apps from outward of a app store. But many comparison inclination don’t run a latest apps, forcing users to rest on comparison versions of their apps from illicit app stores.

Mittal reliable that a antagonistic app was never commissioned on Google Play. When reached, a Google orator would not criticism on what stairs a association was holding to forestall a malware from entering a Android app store. Google has seen antagonistic apps trip by a filters before.

This kind of malware has inclusive entrance to a victim’s device comes in a accumulation of forms and names, though mostly does a same thing. In a early days of a internet, remote entrance trojans, or RATs, let snoops view on victims by their webcams. Nowadays, child monitoring apps are mostly repurposed to view on a person’s spouse, famous as stalkerware or spouseware.

Last year, TechCrunch reported on a KidsGuard stalkerware — evidently a child monitoring app — that used a identical “system update” to taint victims’ devices.

But a researchers don’t know who done a malware or who it’s targeting.

“We are starting to see an augmenting series of RATs on mobile devices. And a turn of sophistication seems to be going up, it seems like a bad actors have satisfied that mobile inclination have only as many information on them and are many reduction stable than a normal endpoints,” pronounced Mittal.

A ‘stalkerware’ app leaked phone information from thousands of victims

Send tips firmly over Signal and WhatsApp to +1 646-755-8849. You can also send files or papers using SecureDrop.