New powerful Android malware disguised as a critical system update can take full control of the victim’s device and steal data, according to security researchers.
The malware was found to be bundled with an app named “System Update” that was installed from a location other than Google Play, the app store on Android devices. When installed by the user, the app hides itself and secretly leaks data from the victim’s device to the attacker’s server.
When a victim installs the app, the malware communicates with the attacker’s Firebase server, which is used to remotely control the device, according to researchers at Zimperium, a mobile security company that discovered the malicious app.
The spyware can steal messages, contacts, device details, browser bookmarks and search history, record calls and ambient sounds from a microphone, and take pictures with your cell phone’s camera. It also tracks victim location information, searches document files, and retrieves data copied from the device’s clipboard.
The malware hides from the victim and attempts to evade capture by reducing network data consumption by uploading thumbnails to the attacker’s server instead of the entire image. It also captures the latest data such as location information and photos.
Zimperium CEO Shridhar Mittal said the malware is likely to be part of a targeted attack.
“It’s the most sophisticated malware I’ve ever seen,” Mittal said. “I think we’ve spent a lot of time and effort developing this app. I think there are other apps like this, but we’re doing our best to find them as soon as possible.”
Screenshots of malware disguised as a system update running on an Android device. This malware has full control over infected devices.
Tricking users into installing malicious apps is a simple and effective way to endanger a victim’s device. That’s why Android devices are warned not to install apps from outside the app store. However, many older devices don’t work with the latest apps, forcing users to rely on older versions of the pirated app store.
Mittal has confirmed that the malicious app was never installed from Google Play. A Google spokeswoman declined to comment on what the company is doing to prevent the malware from breaking into the Android app store. In the past, Google has seen malicious apps slip through filters.
This type of malware, which provides widespread access to victims’ devices, comes in many forms and names, but the main ones are the same. In the early days of the Internet, there were Remote Access Trojans (RATs) that used webcams to voyeur victims.
Nowadays, children’s monitoring apps are often diverted to monitor a user’s spouse, known as stalking wear or spouse wear.
In 2020, TechCrunch reported that KidsGuard stalkerware, an ostensibly children’s surveillance app, used a similar “system update” to infect victims’ devices.
Researchers say they don’t know who made the malware or who it’s targeting.
“Recently, more and more RATs are targeting mobile devices. Attackers are finding that mobile devices have just as much information and are far less protected than traditional endpoints. Probably,” said Mittal.