Researchers have discovered a new type of Android spyware that pretends to be a key system update to induce users to install it, thereby controlling the victim’s device and stealing their data. The malware was found to be bundled in an application called “System Update” and must be installed outside of Google Play, the Android device’s application store.
Once the victim installs the malicious application, the malicious software communicates with the operator’s Firebase server for remote control of the device.
The malicious software stole a wide range of data, including:
Stealing instant messenger’s information
Stealing instant messenger’s database files (if you have root permissions)
Check the bookmarks and search of the default browser
Check the bookmarks and search history of Google Chrome, Firefox and Samsung browsers Search
for files with specific extensions (Including .pdf, .doc, .docx and .xls, .xlsx)
check clipboard data
check the content of notifications
record phone calls
regularly take pictures (via front or rear camera)
list installed apps to
steal images and Video
surveillance GPS location
Steal text messages
Steal mobile phone contacts
Steal call records
Steal device information (such as installed applications, device names, storage statistics)
The malware hides from the victim and attempts to reduce network data consumption by uploading thumbnails instead of complete images to the attacker’s server, thereby evading detection. The malware can also capture the latest data, including location and photos.
Commands received through the Firebase messaging service will initiate operations such as recording audio from the microphone and leaking data such as SMS messages. firebase communication is used only to issue commands, and a dedicated C&C server is used to collect stolen data through POST requests.
Zimperium CEO Shridhar Mittal said that the malware is likely to be part of a targeted attack.
Inducing others to install malicious applications is a simple but effective method that can compromise the victim’s device. This is why Android devices warn users not to install apps outside of the app store. But many old devices cannot run the latest apps, forcing users to rely on old apps from pirated app stores.