Researchers have discovered a new information-stealing Trojan, which targets Android devices with a blitz of data-exfiltration capabilities from collecting browser searches to recording audio and phone calls. While malware on Android has previously taken the guise of copycat apps, which go under names similar to legitimate pieces of software, this clever new malicious app masquerades itself as a System Update application to take control of compromised devices.
"The spyware creates a notification if the device's screen is off when it receives a command using the Firebase messaging service," researchers said in a recent analysis. "The 'Searching for an update..' is not a legitimate notification from the operating system, but the spyware."
Once installed, the sophisticated spyware campaign sets about its task by registering the device with a Firebase command-and-control (C2) server with information such as battery percentage, storage stats, and whether the phone has WhatsApp installed, followed by amassing and exporting any data of interest to the server in the form of an encrypted ZIP file.
The spyware features myriad capabilities with a focus on stealth, including tactics to pilfer contacts, browser bookmarks, and search history, steal messages by abusing the accessibility services, record audio, and phone calls, and take photos using the phone's cameras. It can also track the victim's location, search for files with specific extensions, and grab data from the device's clipboard.
"The spyware's functionality and data exfiltration are triggered under multiple conditions, such as a new contact added, new SMS received or, a new application installed by making use of Android's contentObserver and Broadcast receivers," the researchers said.
The malware not only organizes the collected data into several folders inside its private storage, but it also wipes out any trace of malicious activity by deleting the ZIP files as soon as it receives a "success" message from the C2 server post exfiltration. In a further bid to evade detection and fly under the radar, the spyware also reduces its bandwidth consumption by uploading thumbnails as opposed to the actual images and videos present in external storage.
Although the "System Update" app was never distributed through the official Google Play Store, the research once again highlights how third-party app stores can protect against dangerous malware. The identity of the malware authors, the targeted victims, and the ultimate motive behind the campaign remains unknown.
Red Sky Alliance has been analyzing and documenting these types of cyber threats for 9 years and maintains a resource library of malware and cyber actor reports available at https://redskyalliance.org at no charge. Many past tactics are often dusted off and reused in current malicious campaigns. Red Sky Alliance can provide actionable cyber intelligence and weekly blacklists to help protect your network.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the lab directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/3702558539639477516
Comments