Android Malware poses as Google app to infect Android Devices and to Block Security Apps.
Recently, security researchers at Symantec Corp identified a malware family that attacks Android devices located in China and blocks security apps along with transferring private data from the device to its command servers.
The malware has been named Android.Spywaller and it is being deemed as a unique threat because during the infection it searches for a popular Chinese security app Qihoo 360.
Android.Spywaller uses a firewall to block the internal communications of this app and registers on the Android device it has infected with the same UID that the Qihoo 360 app uses.
It then loads DroidWall, a binary, which is a modified version of the UNIX iptable package that is compatible with Android devices.
This package is a famous firewall utility used on Linux systems and DroidWall was developed by Rodrigo Rosauro, an independent security researcher.
Image Source: Symantec
He later sold DroidWall to AVAST in 2011 and since this app had spent a considerable amount of time as open source, therefore, malware authors could find it easily through repositories like Google Code or GitHub.
Just like Android-Spywaller, DroidWall is also used for blocking security applications so that these aren’t able to communicate with their cloud-based threat analysis servers.
This act makes security applications useless and provides the malware safe and free access to the device.
According to Symantec researchers, the malware isn’t as common among Chinese users, therefore, the risk associated isn’t that great either.
This malware can easily pose as a Google App known as “Google Service” by exploiting the absence of an official Google Play Store in China.
It must be noted that there is no such official Google App with this name.
Android.Spywaller is distributed through unofficial Android app stores and fools users to gain admin permissions.
The malware works in the background of the phone to steal information present on the device and later transfers it to one of its C&C (command and control) servers.
As per the report from Symantec team of researchers, Android.Spywaller is by far the most comprehensive Android spyware families they have discovered.
The app can search and exfiltrate data including SMS, call logs, GPS readings, emails, contact list, images, radio and system’s browser data.
Moreover, it also gathers data from apps like Oovoo, BlackBerry Messenger, Coco, QQ, Talkbox, Skype. SinaWeibo, Zello, TencentWeibo, WhatsApp, Vixer and Wechat.
Researchers believe that this malware family is the most intrusive of all spyware families ever identified as it covers multiple data types and information sources simultaneously.
