Researchers have discovered a new Trojan that steals information, targeting Android devices with an onslaught of data leakage capabilities, from browsing search collection to audio recording and phone calls.
While malware on Android had already taken on the appearance of impersonator apps, bearing similar names to legitimate programs, this sophisticated new malware app masquerades as a system update app to monitor compromised devices.
“Spyware creates a notification if the device screen is off when it receives an order using the Firebase messaging service,” Zimperium researchers said in an analysis Friday. “Check for updates …” is not a legitimate notification from the operating system, but from the spyware. “
Once installed, the sophisticated spyware campaign is responsible for registering the device with a Firebase (C2) command and control server with information such as battery percentage, storage statistics, and whether the phone has WhatsApp installed, followed by kneading and exporting any data of interest to the server in the form of an encrypted ZIP file.
Spyware has a myriad of features focused on secrecy, including tactics for analyzing contacts, browser bookmarks and search history, stealing messages abusing accessibility services, recording audio and phone calls, and taking photos with phone cameras. You can also track the victim’s location, search for files with specific extensions, and retrieve data from the device clipboard.
“Spyware functionality and data leakage are triggered under multiple conditions, such as a new contact added, a new SMS received, or a new application installed by using the Observer content and Broadcast ‘Android,’ the researchers said.
In addition, malware not only organizes data collected in multiple folders within its private storage, but also removes any trace of malicious activity by deleting ZIP files as soon as it receives the “success” message from the C2 server. after exfiltration. In another offer to evade detection and fly under the radar, spyware also reduces bandwidth consumption by loading thumbnails instead of the actual images and videos present in the external storage.
Although the “System Update” app was never distributed through the official Google Play Store, the investigation again reveals how third-party app stores can harbor dangerous malware. The identity of the perpetrators of the malware, the target victims and the final motive behind the campaign is still unclear.