In terms of how it attempts to trick unsuspecting users, security researchers have discovered a new example of Android malware that is almost as devious as it comes.
Researchers from Zimperium zLabs discovered a “sophisticated new malicious software” that targets Android users and pretends to be a System Update when it isn’t. Furthermore, this software has the potential to fully take control of a victim’s phone, including stealing data, messages, and photos. According to a blog post by the researchers that describes what they discovered, once this software takes over a targeted phone, “hackers can capture audio and phone calls, take photographs, check browser history, access WhatsApp messages, and more.”
The mobile application poses a threat to Android devices by acting as a Remote Access Trojan (RAT) that receives and executes commands to capture and exfiltrate a wide range of data and carry out a variety of malicious actions,” the researchers continue in their blog post. These acts also include the following:
- stealing database files and instant messaging messages;
- Examining Google Chrome, Mozilla Firefox, and Samsung Internet Browser’s bookmark and search histories;
- Searching for particular file extensions (such as.pdf,.doc,.docx, and.xls,.xlsx);
- Examining the contents of notifications and the clipboard data;
- Audio and phone calls are being recorded;
- Take photos on a daily basis (either with the front or back cameras);
- The GPS position is being tracked;
- Stealing SMS messages, phone contacts, and call logs is also a possibility.
As if that wasn’t bad enough, this app may also mask its icon from the device’s menu or app drawer, making it impossible for the victim to notice it.
According to Zimperium CEO Shridhar Mittal, this malware appears to have been part of a targeted attack. Mittal said, “It’s easily the most advanced we’ve seen.” “I believe this app took a lot of time and effort to develop. We know there are similar applications out there, and we’re doing whatever we can to find them as soon as possible.”
The malware’s functionality and data exfiltration are enabled, according to Zimperium, when a new contact is added to the system, a new SMS text is sent, or a new application is installed “by using Android’s contentObserver and Broadcast receivers.”
The good news about this malware is that it does not originate from Google’s official Play Store. This app is not and has never been available on Google Play, according to Zimperium, which means users are accidentally installing it to their smartphone when they visit unofficial third-party app stores, which is a major mobile security no-no. So make sure you’re downloading software from Google’s official store, and you’ll be fine.