Zimperium researchers describe a new Android spyware app disguising itself as a software update.
According to Zimperium zLabs, the malware looks like a notification about a system update while exfiltrating user and system data.
The app is distributed via a third-party repository and not the official Google Play Store.
Upon installation, the malware communicates with a Firebase command-and-control (C2) server and registers the victim’s device. Attackers then use a dedicated C2 to conduct data theft.
Zimperium says that data exfiltration is triggered when certain events happen, such as a new contact is added, a new app is installed, or an SMS message arrives. The firm says it’s a “sophisticated spyware campaign with complex capabilities.”
The app uses a Remote Access Trojan (RAT) to steal GPS data, SMS messages, contact lists, and call logs; use the device’s camera to take photos; steal images and videos; record microphone-based audio; view browser bookmarks and histories; eavesdrop on phone calls; and steal system device information, such as storage statistics and lists of installed apps.
RAT abuses Accessibility Services to access instant messenger content, including WhatsApp.
If the victim’s device is rooted, criminals can steal database records as well.
Using the RAT, hackers also try to steal files from external storage. If the files are large, only thumbnails are exfiltrated.
“When the victim is using Wi-Fi, all the stolen data from all the folders are sent to the C2, whereas when the victim is using a mobile data connection, only a specific set of data is sent to C2,” the researchers note.
Attackers limit the use of mobile connectivity so that users do not suspect their device has been hijacked.
The RAT’s operators stole only relevant and recent data by imposing time limits on content.
Earlier this month, Google removed a number of Android apps from the Play Store that contained a dropper for financial Trojans.