A new “sophisticated” Android app flaunting as a software update application is actually spying on users, found researchers of Zimperium zLabs. The software disguises as a System Update app while it quietly infiltrates the user’s account and gives away data to a third party.
The sample app cannot be located in the Play Store. It is with a third-party repository and once installed it gets users device registered to a Firebase command-and-control server used to issue commands to the software to steal data while another dedicated C2 server designated for managing the stolen data.
Data exfiltration happens seamlessly when a condition has been met like asking the user to add a new mobile contact or receipt of an SMS or on installing a new app. The malware, the Remote Access Trojan (RAT) kind can access messages, GPS data, harvest images, video files, call logs, hijack the victim’s camera to take photos, record audio, review browser bookmarks and even eavesdrop on phone calls. The malware can also access operational information of the device like storage capacity and apps installed etc.
Instant messengers are also vulnerable as this malware can corrupt Accessibility Services to access these apps, including WhatsApp. Once the device gets registered to its server database records also suspectable to be utilized. The app will have complete control on the device even searching files with extensions like .pdf, .docx, .xls etc.