android malware-system update

Android spyware disguised as system update

Researchers have discovered a new type of Android spyware that pretends to be a key system update to induce users to install it, thereby controlling the victim’s device and stealing their data. The malware was found to be bundled in an application called “System Update” and must be installed outside of Google Play, the device’s application store.

Once the victim installs the malicious application, the malicious software communicates with the operator’s server for remote control of the device.

The malicious software stole a wide range of data, including:

Stealing instant messenger’s information
Stealing instant messenger’s database files (if you have root permissions)
Check the bookmarks and search of the default browser
Check the bookmarks and search history of Google Chrome, Firefox and Samsung browsers Search
for files with specific extensions (Including .pdf, .doc, .docx and .xls, .xlsx)
check clipboard data
check the content of notifications
record audio
record phone calls
regularly take pictures (via front or rear camera)
list installed apps to
steal images and Video
surveillance GPS location
Steal text messages
Steal mobile phone contacts
Steal call records
Steal device information (such as installed applications, device names, storage statistics)

The malware hides from the victim and attempts to reduce network data consumption by uploading thumbnails instead of complete images to the attacker’s server, thereby evading detection. The malware can also capture the latest data, including location and photos.

Commands received through the messaging service will initiate operations such as recording audio from the microphone and leaking data such as SMS messages. firebase communication is used only to issue commands, and a dedicated C&C server is used to collect stolen data through POST requests.

image

Zimperium CEO Shridhar Mittal said that the malware is likely to be part of a targeted attack.

Inducing others to install malicious applications is a simple but effective method that can compromise the victim’s device. This is why devices warn users not to install apps outside of the app store. But many old devices cannot run the latest apps, forcing users to rely on old apps from pirated app stores.

IOCs

C&C
hxxps://mypro-b3435.firebaseio.com
hxxps://licences.website/backendNew/public/api/



e9c74adeb0fb209cb57f975f3614b2d0
dd2c4abe20185af37b453aec5a99c165
52a508fef60082e1e4ece9109d2cec1d407a0b92
f50b28e6d00c8ed8091f7fc8f895bb25c824bfd2
96de80ed5ff6ac9faa1b3a2b0d67cee8259fda9f6ad79841c341b1c3087e4c92
6301e2673e7495ebdfd34fe51792e97c0ac01221a53219424973d851e7a2ac93