Security researchers have found a new example of Android malware that is almost as devious as it gets, in terms of the way that it tries to fool unsuspecting users.
Zimperium zLabs researchers found what they describe as a “sophisticated new malicious app” targeting Android users that disguises itself as a System Update, even though it’s not. Moreover, this application is able to completely take over a victim’s phone, including by stealing data, messages, and images. To the point that, once this app takes over a targeted phone, “hackers can record audio and phone calls, take photos, review browser history, access WhatsApp messages, and more,” according to a blog from the researchers that explains what they found.
“The mobile application poses a threat to Android devices by functioning as a Remote Access Trojan (RAT) that receives and executes commands to collect and exfiltrate a wide range of data and perform a wide range of malicious actions,” the researchers’ blog post continues. Those actions also include:
- Stealing instant messenger messages and database files;
- Inspecting the bookmark and search history from Google Chrome, Mozilla Firefox, and Samsung Internet Browser;
- Searching for files with specific extensions (including .pdf, .doc, .docx, and .xls, .xlsx);
- Inspecting the clipboard data and the content of notifications;
- Recording audio and phone calls;
- Periodically taking pictures (either through the front or back cameras);
- Monitoring the GPS location;
- And stealing SMS messages, phone contacts, and call logs.
As if all that wasn’t bad enough, this particular application is also able to conceal its presence from the victim by hiding the icon from the device’s menu or app drawer.
Zimperium CEO Shridhar Mittal told one news outlet that this malware seems like it was part of a targeted attack. “It’s easily the most sophisticated we’ve seen,” Mittal said. “I think a lot of time and effort was spent on creating this app. We believe that there are other apps out there like this, and we are trying our very best to find them as soon as possible.”
Zimperium says that this malware’s functionality and data exfiltration are triggered under conditions that include a new contact being added to the device, a new SMS text being received, or a new application installed “by making use of Android’s contentObserver and Broadcast receivers.”
Here’s the good news about this malware: It’s not coming from the official Google Play Store. Zimperium confirmed with Google that this app is not and has never been available on Google Play, which means users are unwittingly downloading this to their device when they visit unofficial third-party application stores — a huge mobile security no-no. So make sure you’re getting your apps from Google’s official store, and you should be safe.