Posted on March 27, 2021 at 1:00 PM
Security researchers have revealed that a new malware with wide spyware capabilities has been discovered stealing data from infected Android devices. The malware is designed in a way to kick into action when new information is ready to be exfiltrated.
However, the security researchers stated that the installation of the spyware is only as “System Update” app and never available on Google’s Play Store but third-party Android app stores.
As a result of its unavailability on the Play Store, it reduces the number of devices it can impact, as most users may be skeptical about installing an app from a third-party source. It’s also limited by its inability to use other methods to infect Android devices.
Researchers at cybersecurity firm Zimperium discovered this new spyware which spies and targets sensitive information stored on devices and sends them to servers controlled by the threat actors.
Spyware has a lot of capabilities
However, the app is considered very dangerous due to its ability to carry out a wide range of malicious activities. These capabilities include;
- Exfiltrating device information
- Stealing call logs
- Stealing phone contacts
- Stealing SMS messages
- Listing of the installed applications
- Monitoring the GPS location
- Periodically taking
- Recording phone calls
- Stealing images and videos
- Inspecting browsers’ bookmark and search history from the target device
- Inspecting the clipboard data
- Inspecting the content of the notifications
- Recording audio
- Searching for files with specific extensions
- Stealing instant messenger database files
- Stealing instant messenger messages
Also, the spyware hides on infected Android devices b hiding its icon from the menu.
It also tries to avoid being detected by only stealing thumbnails of images and videos it finds. This takes less of the target’s bandwidth consumption, which is intended to prevent arousing suspicion to the background exfiltration activity.
Malware steals only the most recent data
The researchers also discovered that the malware doesn’t behave like other malware that steals data in bulk. Instead, it harvests only the most recent data, collecting data created only minutes ago.
But in terms of stealing data, the spyware has the capability of collecting and exfiltrating a wide range of information from the victim’s device. The security researchers say this is another area where the spyware is considered very dangerous.
Once the malware is installed on an Android device, it sends information in several pieces to its command-and-control (C2C) server. The information includes the types of apps available on the device, the types of internet connection, as well as storage stats.
Sometimes the spyware uses Accessibility services to gain data or harvest the data directly when it has root access. In most cases, it deceives the victims and gets them to enable the feature on the targeted device.
It also looks for cached or stored data by scanning the external storage. After finding the stored data, the malware harvests it and sends it to the C2 servers when they connect to the internet. The malware does everything very hidden and in a way, the victims will not be aware there is data exfiltration in their device.
The malware also has another capability, which is stealing stored files on the device’s external storage.
The new malware works differently
The Zimperium researchers also revealed that the new malware operates differently from other known types of malware. That’s because this malware gets into action using Android’s ContentObserver and Broadcast receivers.
That means it’s triggered when some conditions are met. For instance, since it harvests only recent data, it starts exfiltrating data only when it notices new apps being installed, new text messages, or new contact on the users’ device.
The malware also displays false “Searching for update” message on the system notifications when new commands are sent from its developers to continue its malicious activity.
Several messaging apps are vulnerable to the data harvesting activity of the malware, including WhatsApp used by billions of people. It also has the capability of staying hidden and undetected for a long time, since it usually gets into the victim’s device using permission.