Researchers uncovered malware posing as System Update — takes control of the device, steals almost all the data, and perform a variety of invasive actions.
System Update Steals Data
Latest malware with extensive capabilities steals almost every data from android devices and also ex-filtrate whenever new info is available on the device.
Recently, unsecured cloud configurations are exposing user data across thousands of legitimate Android and iOS applications, Zimperium zLabs researchers revealed.
This week, zLabs is warning Android users about a sophisticated new malicious app.
Firstly, The new malware disguises itself as a System Update application, later takes control of Android phones, steals data.
Certainly, the malware disguised as a “system update” is making the rounds on Android devices. Where the update can only be installed via third-party Android app stores – the app never been on Google Play.
In addition, the malware functioning as a Remote Access Trojan (RAT), then executes commands to collect and ex-filtrate the data and perform a wide range of malicious actions, such as:
- Stealing instant messenger messages
- Stealing instant messenger database files (if root is available)
- Inspecting the default browser’s bookmarks and searches
- Inspecting the bookmark and search history from Google Chrome, Mozilla Firefox, and Samsung Internet Browser
- Searching for files with specific extensions (including .pdf, .doc, .docx, and .xls, .xlsx)
- Inspecting the clipboard data
- Inspecting the content of the notifications
- Recording audio, phone calls
- Periodically take pictures (either through the front or back cameras)
- Listing of the installed applications
- Stealing images and video
- Monitoring the GPS location
- Stealing SMS messages, phone contacts, call logs
- Ex-filtrating device information (e.g., installed applications, device name, storage stats)
- also, Concealing its presence by hiding the icon from the device’s drawer/menu
“Once in control, hackers can record audio and phone calls, take photos, review browser history, access WhatsApp messages, and more,” researchers added.
However, once the malware installed on a device, shares several info which encrypted as a ZIP file to its Command-and-Control (C2) server including:
- storage stats
- battery percentage
- the internet connection type
- also, the presence of various apps such as WhatsApp.
Importantly, determined to leave no traces of its malicious actions, the spyware deletes the files as soon as it receives a “success” response from the C&C server on successfully receiving the uploaded files.
Searching for Update…
Once the user selects to “update” the existing information, the app infiltrates the affected device. Upon dissemination, the C&C receives all relevant data, including the new generated Firebase token.
On the other hand, the spyware creates a notification if the device’s screen is off, when it receives a command using the Firebase messaging service.
“The Firebase communication is only used to issue the commands, and a dedicated C&C server is used to collect the stolen data by using a POST request.“
The “Searching for update..” is not a legitimate notification from the operating system, but the spyware.
Unlike other malware that harvests data in bulk, thus reducing the victims’ bandwidth consumption to avoid drawing their attention to the background data exfiltration activity, this one will also make sure that it:
- ex-filtrates only the most recent data
- collecting location data created and photos taken within the last few minutes
- to further evade detection, it only steal thumbnails of videos and images it finds
Firstly, It is highly recommended to update or install the latest Android/Security updates directly from the official store.
However, Android updates will never come in the form of a new, self-contained app. Aware of the text messages or the ads that asks to download/install any application.
In short, check for updates from official vendor, never download applications from third-party sites on any purpose.