Android Malware Poses as System Update

Zimperium zLabs researchers revealed unsecured cloud configurations exposing information in thousands of legitimate iOS and Android apps. zLabs is warning Android users about a sophisticated new malicious app.

The new malware disguises itself as a System Update application, and is stealing data, messages, images and taking control of Android phones.

Once in control, hackers can record audio and phone calls, take photos, review browser history, access WhatsApp messages, and more.

The “System Update” app was identified by zLabs researchers who noticed an Android application being detected by the z9 malware engine powering zIPS on-device detection. The experts shared their findings with Google, which confirmed that the malicious app has never been uploaded on Google Play.

What can the Malware do?

The mobile application poses a threat to Android devices by functioning as a Remote Access Trojan (RAT) that receives and executes commands to collect and exfiltrate a wide range of data and perform a wide range of malicious actions, such as:

  • Stealing instant messenger messages;
  • Stealing instant messenger database files (if the root is available);
  • Inspecting the default browser’s bookmarks and searches;
  • Inspecting the bookmark and search history from Google Chrome, Mozilla Firefox, and Samsung Internet Browser;
  • Searching for files with specific extensions (including .pdf, .doc, .docx, and .xls, .xlsx);
  • Inspecting the clipboard data;
  • Inspecting the content of the notifications;
  • Recording audio;
  • Recording phone calls;
  • Periodically take pictures (either through the front or back cameras);
  • Listing of the installed applications;
  • Stealing images and videos;
  • Monitoring the GPS location;
  • Stealing SMS messages;
  • Stealing phone contacts;
  • Stealing call logs;
  • Exfiltrating device information (e.g., installed applications, device name, storage stats); and
  • Concealing its presence by hiding the icon from the device’s drawer/menu.

How does the malware work?

Once downloaded the malicious app from a third-party store and installed it, the spyware registers itself with a Firebase command-and-control (C2) server with information such as the presence of WhatsApp, battery percentage, and storage stats.

The malware exfiltrates data from the infected devices in the form of an encrypted ZIP file.

The spyware’s actions and exfiltration are triggered in different circumstances, including the creation of a new contact, when a new SMS is received or, a new application is installed by the victims.

The malware receives commands through the Firebase messaging service to start actions like recording audio from the microphone. The stolen data is exfiltrated to a dedicated C2 through a POST request. Below is the list of commands supported by the spyware:

The spyware is capable of performing a wide range of malicious activities to spy on the victim while posing as a “System Update” application.” concludes the report.

“It exhibits a rarely seen before the feature, stealing thumbnails of videos and images, in addition to the usage of a combination of Firebase and a dedicated Command & Control server for receiving commands and exfiltrate data”.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.