An innocent-looking, but fake System Update could devastate your Android device if you aren’t careful. It’s actually devastating new malware with spyware that can steal almost everything if it infiltrates your system.
First, the scary news. This latest spyware nightmare is a remote access trojan (RAT) that can steal “data, messages, images and [take] control of Android phones” if you manage to install it on your device. It collects and exfiltrates your information to its command-and-control server, including storage stats, internet connection type, and the presence of certain apps.
"Once in control, hackers can record audio and phone calls, take photos, review browser history, access WhatsApp messages, and more," said the Zimperium researchers who discovered it.
The spyware can:
- Steal instant messenger messages;
- Steal instant messenger database files (if root is available);
- Inspect the default browser's bookmarks and searches;
- Inspect the bookmark and search history from Google Chrome, Mozilla Firefox, and Samsung Internet Browser;
- Search for files with specific extensions (including .pdf, .doc, .docx, and .xls, .xlsx);
- Inspect the clipboard data;
- Inspect the content of the notifications;
- Record audio;
- Record phone calls;
- Periodically take pictures (either through the front or back cameras);
- List of the installed applications;
- Stealing images and videos;
- Monitoring the GPS location;
- Steal SMS messages;
- Steal phone contacts;
- Steal call logs;
- Exfiltrate device information (e.g., installed applications, device name, storage stats).
(via Bleeping Computer): The spyware either harvests data directly if it has root access, or it uses Accessibility Services after tricking the victims into enabling the feature on the compromised device. Incredibly, it will also scan the external storage for any stored or cached data, harvest it and deliver it to the C2 servers when the user connects to a Wi-Fi network.
It's sneakier and harder to spot than other malware because it hides in plain sight:
- It hides the icon from the drawer/menu;
- It only steal thumbnails of videos and images it finds, lowering victims’ bandwidth consumption to distract from the background data exfiltration;
- It only exfiltrates only the most recent data, collecting location data created and photos taken within the last few minutes.
Perhaps the good news is that it’s not easy to catch this malware. First, it can only be downloaded via a “System Update” app from third-party Android app stores — it was never in the Google Play store. Second, the malware has no way to infect other Android devices on its own. Finally, it reportedly only triggers when some conditions are met, like the addition of a new contact, new text messages, or new apps being installed. Then, the malware displays a fake "Searching for update..." system update notification.
So take care to only download apps from reputable, verified sources, and keep your data safe from prying eyes!