Applications

This is the new spyware for Android disguised as a system update

This variety of malware steal private messages and location data while recording phone calls. This is the new spyware for Android disguised as a system update.

It is a sophisticated strain of malware capable of stealing user data from infected Android devices and posing as an application called “System Update”.

The mobile application, which works as a remote access trojan (RAT), it is part of a sophisticated spyware campaign that has the ability to record audio from devices. It is also capable of taking photos and accessing WhatsApp messages, according to the iZimperium Investigators.

This is the new spyware for Android disguised as a system update

Once installed, it registers as its own Firebase command and control (C&C) server, typically used by Android developers. It is also installed as a second standalone C&C service, to send an initial cache of information. This includes information on whether WhatsApp is installed or not, battery percentage, storage statistics and other information. It can only be installed from a third-party store, not from the Google Play store.

The malware then receives commands to initiate different actions, such as the recording audio from microphone wave data exfiltration. Researchers have also discovered that malware is capable of inspect web browsing data, steal images and videos, monitor GPS locations, or steal phone contacts. In addition, it also has ability to access call logs and extract device information.

This is the new spyware for Android disguised as a system update

The device also requests permission to enable accessibility services and takes advantage of this to collect conversations and details from WhatsApp messages. It does this by observing the content of the screen after detecting if the user is accessing the messaging service.

Malware hides the device’s main menu icon in the app drawer, meanwhile, it also masquerades as the legitimate System Update app to avoid suspicion. When the device screen is off, the spyware creates a “check for updates” notification via the Firebase messaging service. This allows you to generate automatic notifications.

Concealment as its main advantage

Spyware functionality is activated under various conditionseven when adding a new contact. Also when a new text message is received or a new application is installed. It does this by exploiting Android receivers, including “ContentObserver” Y “Broadcast”That allows communication between the device and the server.

The courier service Firebase is only used to launch malicious functionssuch as audio recording or data exfiltration. It does this by sending commands to the infected devices. The data itself is then collected by the second dedicated C&C server.

Spyware also only collects up-to-date information, with an update frequency of approximately 5 minutes for location and network data. The same applies to photos taken with the device’s camera, but the value grows up to 40 minutes.

Until now, Investigators have not been able to determine who is behind the campaign or if the hackers are trying to target specific users. Since this spyware can only be downloaded from outside of Google Play, users are strongly advised not to download anything external.

Related Articles

Back to top button