Fake 'System Update' App Targets Android UsersMalware Steals Data, Messages, Images; Takes Control of Phones
Android device users are being targeted by a sophisticated spyware app that disguises itself as a "system update" application, warns mobile security firm Zimperium zLabs.
The app can steal data, messages and images and take control of phones. Once in control, the hackers can record audio and phone calls, take photos, review browser history, access WhatsApp messages and more, the security firm says.
Mobile phone use poses a significant cyber risk for businesses, The Defence Works, a subsidiary of cybersecurity company Proofpoint, says in recent report. "The largest risk to businesses from breached mobile devices is that sensitive company - or even customer - data could be directly exposed to cyberattackers and used fraudulently or in further attacks,” the report states.
Spyware Is a RAT
Zimperium zLabs says the malicious Android app it discovered functions as a remote access Trojan that receives and executes commands to collect and exfiltrate a wide range of data and perform malicious actions. Those include stealing instant messenger messages and database files - if root is available; inspecting the default browser’s bookmarks and searches; inspecting the bookmark and search history from Google Chrome, Mozilla Firefox and Samsung Internet Browser; and searching for files with specific extensions, including .pdf, .doc, .docx, and .xls, .xlsx.
Other capabilities include recording audio and phone calls; periodically taking pictures through the front or back cameras; listing the installed applications; stealing images and videos; monitoring the GPS location; stealing SMS messages and phone contacts, including call logs; exfiltrating device information (e.g. installed applications, device name, storage stats); and concealing its presence by hiding the icon from the device’s drawer/menu.
The Zimperium zLabs researchers note that Google confirmed that the app has never been available on Google Play. It's available only in a third-party store, which the researchers did not identify in their report. Once the app is downloaded, the Android device is registered with the Firebase command and control and reports to the attackers such details as presence or absence of WhatsApp, battery percentage, storage stats and the type of internet connection, the Zimperium zLabs researchers say.
"Options to update the mentioned device information exist as “update” and “refreshAllData,” the difference being, in “update,” the device information alone is being collected and sent to C&C, whereas in “refreshAllData,” a new Firebase token is also generated and exfiltrated," says Aazim Yaswant, android malware analyst at Zimperium zLabs. "The spyware’s functionality and data exfiltration are triggered under multiple conditions, such as a new contact added, new SMS received or a new application installed by making use of Android’s ContentObserver and Broadcast receivers."
The researchers note that the commands received through the Firebase messaging service initiate actions, such as recording of audio from the microphone and exfiltration of data, such as SMS messages.
"The Firebase communication is used to issue the commands, and a dedicated C2 server is used to collect the stolen data by using a POST request," Yaswant says.
The spyware looks for any activity of interest, such as a phone call, to immediately record the conversation, collect the updated call log and then upload the contents to the C2 server as an encrypted ZIP file. To leave no trace of its malicious actions, it deletes the files as soon as it receives a “success” response from the C2 server on successfully receiving the uploaded files, the researchers explain.
"Along with the command “re” for recording the audio from the microphone, the parameters received are “from time” and “to time,” which is used to schedule a OneTimeWorkRequest job to perform the intended malicious activity," according to the researchers. "Such usage of job scheduling can be affected by battery optimizations applied on applications by the Android OS, due to which, the spyware requests permission to ignore battery optimizations and function unhindered."
Users of the malicious app are asked to enable accessibility services, which opens the door to collecting conversations and message details from WhatsApp by scraping the content on the screen after detecting that the package name of the top window matches com.whatsapp. This collected data is then stored within a SQLite database, the researchers say.
"In addition to collecting the messages using the accessibility services, if root access is available, the spyware steals the WhatsApp database files by copying them from WhatsApp’s private storage," Yaswant notes.
The spyware also steals clipboard data by registering clipboard listeners in the same way as it spies on SMS, GPS location, contacts, call logs, and notifications. The listeners, observers and broadcasted intents are used to perform actions, such as recording phone calls and collecting the thumbnails of newly captured images/videos by the victim.
"The Android device’s storage is searched for files smaller than 30MB and having file extensions from the list of “interesting” types (.pdf, .doc, .docx, .xls, .xlsx, .ppt, .pptx) to be copied to the private directory of the application and encrypted as a folder before exfiltration to the C2 server," the researchers note.
The spyware has the capability to access and steal contents cached and stored in external storage, Yaswant explains. "In an attempt to not exfiltrate all the images/videos, which can usually be quite large, the spyware steals the thumbnails which are much smaller in size," he says. "This would also significantly reduce the bandwidth consumption and avoid showing any sign of data exfiltration over the internet (assisting in evading detection). When the victim is using Wi-Fi, all the stolen data from all the folders is sent to the C2, whereas when the victim is using a mobile data connection, only a specific set of data is sent to C2."
The spyware also steals victims' bookmarks and search history from browsers such as Google Chrome, Mozilla Firefox and the Samsung Internet Browser.