Getty Images
Researchers have discovered a new advanced piece of Android malware that detects sensitive information stored on infected devices and sends it to servers controlled by attackers.
The app goes crazy as a system update that needs to be downloaded from a third-party source, researchers from security company Zimperium said Friday. In fact, it is a remote access trojan that receives and executes commands from a command and control server. It provides a full-featured spying platform that performs a wide range of malicious activity.
Soup to nuts
Zimperium listed the following capabilities:
- Stealing instant messenger messages
- Stealing messenger database files instantly (if root is available)
- Checks bookmarks and custom browser searches
- Reviews the bookmark and search history from Google Chrome, Mozilla Firefox, and Samsung Internet Browser
- Finding files with specific extensions (including .pdf, .doc, .docx, and .xls, .xlsx)
- Examining the dashboard data
- Checking the content of the messages
- Recording audio
- Recording phone calls
- Take photos from time to time (either through the front or rear cameras)
- List of installed apps
- Stealing images and videos
- GPS location tracking
- Stealing SMS messages
- Stealing phone calls
- Stealing call logs
- Output device information (eg, installed applications, device name, storage stats)
- Hides its presence by hiding the image from the device’s drawer / table
Messaging apps that are vulnerable to database theft include WhatsApp, which is used by billions of people, often in the expectation of providing more confidentiality than other messengers. As mentioned, the databases can only be accessed if the malware has basic access to the infected machine. Hackers will be able to root infected devices when running older versions of Android.
If the malicious app does not get rooted, it can still collect conversations and message details from WhatsApp by trying users to enable Android access services. Access control services are built into the OS that make it easier for users with visual impairments or other disabilities to use devices by, for example, changing the display or by disabling pass the verbal feedback tool. Once access services are enabled, the malicious app can scrape the content on the WhatsApp screen.
Another ability is to steal files stored in a device’s external storage. To reduce broadband consumption that a victim could inflict on an infected device, the malicious app steals small images, which are much smaller than the images they respond to. . When a device is connected to Wi-Fi, the malware sends stolen data from each folder to the attackers. When only a mobile connection is available, the malware adds a more limited data set.
With full coverage like the spying platform, it suffers from a major limitation – that is, the ability to capture devices without first trying to make users make decisions. do not know more experienced people safe. First, users need to download the app from a third-party source. Due to the complexity of the Google Play Store, it is usually a more reliable place to find apps. Users also need to be socially engineered to enable accessibility services for some of the advanced features to work.
Google declined to comment but reiterated that the malware was never available in Play.