This Sophisticated Android Malware Cleverly Pretends To Be A System Update

Android malware

Google continues to release patches to keep its Android operating system as safe as possible for users.

Assuming that users' phone manufacturers are willing to ship the updates in time, users don't install apps other than from the Google Play Store, and don't use or download some sketchy apps or files, malware may never be able to infect that Android phone. That Android should be relatively safe.

But what happens if a malware itself disguises as a legitimate system update?

Researchers at security firm Zimperium, found a surprisingly sophisticated malware attack, that after being installed via a bundled app outside of the Play Store, it can mask itself using the same notification as a verified update from Google.

And once the malware is active, there is no stopping it from there.

The researchers said that the spyware can do a long list of nefarious things.

They include, and not limited to: stealing messages and call logs, stealing contacts, Inspecting the default browser’s bookmarks and searches, searching for files with specific extensions, inspecting the clipboard data, inspecting the content of the notifications, recording audio and phone calls, take pictures periodically, see installed apps, steal images and videos, monitor GPS activities, and extract other information.

In a blog post, the researchers said that:

"The new malware disguises itself as a System Update application, and is stealing data, messages, images and taking control of Android phones. Once in control, hackers can record audio and phone calls, take photos, review browser history, access WhatsApp messages, and more."

It should be noted that the malware itself is never available in Google's Play Store.

Instead, the only way it can enter a victim's phone is through sideloading an .apk file, or from apps that are downloaded from third-party app stores.

If users never install apps from sources other than the Google Play Store, they should be safe from this malware.

But regardless of that, this malware is novel.

“It’s easily the most sophisticated we’ve seen, I think a lot of time and effort was spent on creating this app. We believe that there are other apps out there like this, and we are trying our very best to find them as soon as possible.” said Shridhar Mittal, CEO of Zimperium.

Android malware
Names of folders for storing stolen data in the app’s private directory. (Credit: Zimperium)

The spyware in question, which has a far-reaching access to a victim’s device, comes in a variety of forms and names. But largely, it does the same thing.

And if having many names is not convincing enough, once it's inside a phone, it can also hide itself very well.

Furthermore, the developers of the app seem to be ahead of their time to hide this malware.

For example, the malware gathers the content it wants to steal into separate folders, to then zip and also encrypt them. And those files will be deleted as soon as the malware succeeded in uploading the files to its Command and Control server, in order to leave no traces of its malicious actions.

The malware can also prevent Android's battery optimization to apply on its app, gathers only the most recent data in order to get the freshest information, steal only certain files in certain sizes, and so forth.

It also uploads thumbnails to its server rather than taking full-sized images, again in order to "significantly reduce the bandwidth consumption and avoid showing any sign of data exfiltration over the internet."

This malware works by abusing Android's Accessibility Services, which can be gained from social engineering by asking users to enable accessibility services.

Android malware
The fake notification and communication with the malware's C&C server. (Credit: Zimperium)
"The spyware is capable of performing a wide range of malicious activities to spy on the victim while posing as a 'System Update' application. It exhibits a rarely seen before feature, stealing thumbnails of videos and images, in addition to the usage of a combination of Firebase and a dedicated Command & Control server for receiving commands and exfiltrate data."

This kind of malware can be considered a remote access trojan, or RAT. Once installed, the malware will open a backdoor in the system, allowing the developers of the app to snoop and spy on victims.

Back in the days, RAT was popular among hackers, and the software was distinct. But in the modern days of mobile and internet, 'RAT' software can comes in the form of a child monitoring apps, or apps to spy on others, commonly known as stalkerware or spouseware.

“We are starting to see an increasing number of RATs on mobile devices. And the level of sophistication seems to be going up, it seems like the bad actors have realized that mobile devices have just as much information on them and are much less protected than the traditional endpoints,” said Mittal.

As stated by the researchers at Zimperium the app is never inside the Google Play Store.

It's advised that Android users don’t install .apk files, and rather get their apps straight from the Play Store only.

At this time, the researchers at Zimperium has yet to find the authors of the malware.