A new, “sophisticated” Android spyware app disguising itself as a software update has been discovered by researchers. According to Zimperium zLabs, the malware masquerades as a System Update application while quietly exfiltrating user and handset data, reports ZDNet.
Once installed, the victim’s device is registered with a Firebase command-and-control (C2) server used to issue commands, while a separate, dedicated C2 is used to manage data theft.
The team says that data exfiltration is triggered once a condition has been met, including the addition of a new mobile contact, a new app is installed, or on receipt of an SMS message.
The malware is a Remote Access Trojan (RAT) and able to steal GPS data and SMS messages, contact lists, call logs, harvest images, and video files, covertly record microphone-based audio, hijack a mobile device’s camera to take photos, review browser bookmarks and histories, eavesdrop on phone calls, and steal operational information on a handset including storage statistics and lists of installed applications.
Instant messenger content is also at risk as the RAT abuses Accessibility Services to access these apps, including WhatsApp.
The RAT will also attempt to steal files from external storage. However, considering some content — such as videos — can be too large to steal without impacting connectivity, thumbnails alone are exfiltrated.
“When the victim is using Wi-Fi, all the stolen data from all the folders are sent to the C2, whereas when the victim is using a mobile data connection, only a specific set of data is sent to C2,” the researchers note.
This month, Google pulled several Android apps from the Play Store that contained a dropper for banking Trojans. The utility applications, including a virtual private network (VPN) service, recorder, and barcode scanner, were used to install mRAT and AlienBot.
Read More: Sleeper malware found in nearly 30,000+ Macs.