New Powerful Android Malware Disguised as System Update is Attacking Android Phones

The New Android Malware Can Take Complete Control of a Victim’s Device and Steal Their Data, Researchers Say.

LAST UPDATED ON MARCH 29, 2021
QUICK READ
3 min
Let's get started!
ANTONIA
DIN
PR & VIDEO CONTENT MANAGER

Are you an Android smartphone owner? Then we have some information for you!

In recent weeks, Zimperium zLabs researchers have discovered a new and aggressive strain of Android malware that is attacking Android smartphones.

As stated by TechCrunch, researchers at mobile security firm Zimperium, this new malware disguises itself as a System Update application, which makes it hard to notice. The alleged System Update app was uncovered after identifying an application flagged by the z9 malware engine powering zIPS on-device detection.

Once the victim installs the malicious app, which must be downloaded from a third-party Android app store, the new advanced Android malware finds sensitive information saved on infected devices and sends it to hacker-controlled servers.

In fact, it’s a Remote Access Trojan (RAT)  that receives and executes commands from a command-and-control server to collect a wide range of data and perform malicious activities.

According to Zimperium, this is one of the most sophisticated Android malware that the company has ever experienced due to its level of complexity of the application and the disguise techniques.

“It’s easily the most sophisticated we’ve seen,”. I think a lot of time and effort was spent on creating this app. We believe that there are other apps out there like this, and we are trying our very best to find them as soon as possible.”, Zimperium CEO Shridhar Mittal said.

Source

Mittal also said the malware was likely part of a targeted attack.

So, what can this Android malware do?

With a vast list of compromise capabilities, this malware can:

  • Steal instant messenger messages;
  • Steal instant messenger database files (if root is available);
  • Inspect the default browser’s bookmarks and searches;
  • Inspect the bookmark and search history from Google Chrome, Mozilla Firefox, and Samsung Internet Browser;
  • Search for files with specific extensions (including .pdf, .doc, .docx, and .xls, .xlsx);
  • Inspect the clipboard data;
  • Inspect the content of the notifications;
  • Record audio;
  • Record phone calls;
  • Periodically take pictures (either through the front or back cameras);
  • List installed applications;
  • Steal images and videos;
  • Monitor the GPS location;
  • Steal SMS messages;
  • Steal phone contacts;
  • Steal call logs;
  • Exfiltrate device information (e.g., installed applications, device name, storage stats).

Upon installation on an Android device, from a third-party store, the device gets recorded with the Firebase Command and Control (C&C) with aspects such as battery percentage, storage stats, presence or absence of WhatsApp, and the type of internet connection.

Here is a screenshot of the malware masquerading as a system update running on an Android phone.

Android malware masquerading as a system update screenshot

Source

After tricking its targets into allowing the feature on the infected device the malware will collect data directly if it has root access or uses Accessibility Services. It will also scan the external storage for any stored or cached data, harvest it, and deliver it to the C2 servers when the user connects to a Wi-Fi network.

The spyware’s functionality and data exfiltration are triggered under several conditions, such as a new contact added, new SMS received or, a new application installed by making use of Android’s contentObserver and Broadcast receivers.

When receiving new orders from its masters the spyware will show fake “Searching for update..” system update notifications in order to conceal its malicious activity. The malware also hides its presence on infected Android devices by camouflaging the icon from the drawer/menu.

Unlike other malware, this one will also ensure that it will withdraw only the most recent data, collecting photos taken and data created within the last few minutes.

Wrapping it up

The good news, confirmed by Google and Mittal, is that this malicious app was never available on the Google Play Store. As long as you continue to download the apps from the Play Store, you should be safe.

Keeping your apps and system updated is one of the most important tools you have in the fight against cybercriminals. In order to avoid such malicious apps is recommended to avoid downloading files outside Google Play Store.

Official app stores like Apple’s App Store and the Google Play Store have stronger vetting policies to keep malicious apps out. They’re not foolproof but are much safer than third-party downloads.

RELATED

Android Permissions Can Be Dangerous: Full Guide to Managing Them

Android Malware: Your Mobile Device Isn’t Safe from Hackers

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP