In recent weeks, Zimperium zLabs researchers have revealed insecure cloud setups exposing user data on thousands of legitimate Android and iOS apps. Now zLabs advises Android users on a new smart and malicious Android app.

This latest malware takes the form of a system update application in order to steal data, images, messages and take control of all Android phones. After gaining control, attackers can record audio and phone calls, view browser history, take photos, and access WhatsApp messages, among other activities.

ZLabs researchers discovered this purported system update application after detecting an application reported by the z9 malware engine enabling detection on the zIPS device. An investigation showed that this activity was linked to an advanced spyware campaign with complex capabilities. The researchers sealed the deal after confirming with Google that such an app never existed and was never to be released on Google Play.

With a long list of compromising capabilities, this malware can steal messages from instant messaging systems and their database files using root, examine favorites and searches of default browsers, inspect favorites and search history in Google Chrome, Mozilla Firefox and Samsung Internet browsers, search for files with specific extensions .doc, .docx, .pdf, .xls and .xlsx; examine clipboard data and notification content, take periodic photos via front or rear camera, view installed apps, steal images and videos, monitor via GPS, steal phone contacts and SMS messages as well as call logs and exfiltrate device information such as device name and data storage. Moreover, the malware can even hide itself by hiding its icon in the device menu.

This malware works by running on Firebase Command and Control (C&C) when installing from a non-Google third-party app store, listed as “update” and “refreshAllData”. To enhance its sense of legitimacy, the app contains information about features like WhatsApp presence, battery percentage, storage stats, internet connection type, and Firebase messaging service token. Once the user chooses to “update” the existing information, the application infiltrates the affected device. During the broadcast, the C&C receives all relevant data, including the new generated Firebase token.

While Firebase communication performs the necessary commands, the dedicated C&C server uses a POST request to collect the stolen data. Notable actions that trigger the app exfiltration include adding a new contact, installing a new app through Android’s contentObserver, or receiving a new text message.

© Science X Network 2021

In recent weeks, Zimperium zLabs researchers have revealed insecure cloud setups exposing user data on thousands of legitimate Android and iOS apps. Now zLabs advises Android users on a new smart and malicious Android app.

This latest malware takes the form of a system update application in order to steal data, images, messages and take control of all Android phones. After gaining control, attackers can record audio and phone calls, view browser history, take photos, and access WhatsApp messages, among other activities.

ZLabs researchers discovered this purported system update application after detecting an application reported by the z9 malware engine enabling detection on the zIPS device. An investigation showed that this activity was linked to an advanced spyware campaign with complex capabilities. The researchers sealed the deal after confirming with Google that such an app never existed and was never to be released on Google Play.

With a long list of compromising capabilities, this malware can steal messages from instant messaging systems and their database files using root, examine favorites and searches of default browsers, inspect favorites and search history in Google Chrome, Mozilla Firefox and Samsung Internet browsers, search for files with specific extensions .doc, .docx, .pdf, .xls and .xlsx; review clipboard data and notification content, take periodic photos via front or rear camera, view installed apps, steal images and videos, monitor via GPS, steal phone contacts and SMS messages as well as call logs and exfiltrate device information such as device name and data storage. Moreover, the malware can even hide itself by hiding its icon in the device menu.

This malware works by running on Firebase Command and Control (C&C) when installing from a non-Google third-party app store, listed as “update” and “refreshAllData”. To enhance its sense of legitimacy, the app contains information about features like WhatsApp presence, battery percentage, storage stats, internet connection type, and Firebase messaging service token. Once the user chooses to “update” the existing information, the application infiltrates the affected device. During the broadcast, the C&C receives all relevant data, including the new generated Firebase token.

While Firebase communication performs the necessary commands, the dedicated C&C server uses a POST request to collect the stolen data. Notable actions that trigger the app exfiltration include adding a new contact, installing a new app through Android’s contentObserver, or receiving a new text message.

© Science X Network 2021