The malware is also capable of controlling the device’s front and back camera to take photos periodically.
The IT security researchers at Zimperium have discovered an Android malware capable of stealing sensitive data from infected devices and transfer it on servers controlled by the attackers.
The malware is disguised in an app called “System Update” that has to be downloaded from a third-party store. It is a remote-access Trojan that receives and executes commands from a C&C server and offers a feature-rich espionage platform.
Spyware Can Take Full Control of the Device
This newly discovered malware is so powerful that it can take complete control of the infected device and steal all data types. After the user installs the malicious app, it hides and exfiltrates data stealthily to the attacker-controlled servers.
According to Zimperium researchers, the malware communicates with the attackers’ Firebase server through which the malware operators control the device remotely.
What kind of Data is under Threat?
The spyware can steal various sensitive data, including:
- SMS Messages
- Search history
- Images and videos
- Browser bookmarks
- Contact information
- Tracking device’s location
- Instant messenger messages
- Record the microphone’s ambient sound and calls
- Taking pictures from the device’s back and front camera
- Steal data from the device’s clipboard, and search for document files.
How it Evades Detection?
The malware evades detection by the victim by reducing the network data it consumes. It achieves this by uploading thumbnails to its operators’ servers instead of launching the full image. It can also capture the most recent location data and images.
Could it be a Targeted Campaign?
According to Zimperium CEO Shridhar Mittal, this malware operation could be part of a targeted campaign and happens to be the most sophisticated attack chain Mittal has lately observed.
“We discovered it to be a sophisticated spyware campaign with complex capabilities. We also confirmed with Google that the app was not and has never been on Google Play,” said Zimperium’s Aazim Yaswant in a blog post.