Researchers have discovered a new advanced piece of Android malware that finds sensitive information stored on infected devices and sends it to attacker-controlled servers.
The app disguises itself as a system update that must be downloaded from a third-party store, researchers from the security company Zimperium said on Friday. In fact, it is a remote access trojan that receives and executes commands from a command-and-control server. It provides a complete espionage platform that performs a wide range of malicious activities.
Soup for nuts
Zimperium listed the following options:
- Steals instant messages
- Steal database files for instant messenger (if root is available)
- Inspect the default browser bookmarks and search
- Inspect your bookmark and search history from Google Chrome, Mozilla Firefox and Samsung Internet Browser
- Searches for files with specific extensions (including .pdf, .doc, .docx and .xls, .xlsx)
- Inspect clipboard data
- Inspect the content of the alerts
- Record sound
- Record phone calls
- Take pictures regularly (either through the front or rear cameras)
- List of installed applications
- Steals photos and videos
- Monitor GPS position
- Steals SMS messages
- Steals phone contacts
- Steal call logs
- Exfilter device information (eg Installed applications, device names, storage statistics)
- Hides its presence by hiding the icon from the device tray / menu
Messaging apps that are vulnerable to database theft include WhatsApp, which billions of people use, often with the expectation that it provides greater confidentiality than other messengers. As mentioned, the databases can only be accessed if malicious software has root access to the infected device. Hackers are able to root infected devices when running older versions of Android.
If the malicious app does not take root, it can still collect calls and messaging details from WhatsApp by tricking users into enabling Android accessibility services. Accessibility services are controls built into the operating system that make it easier for users with visual or other disabilities to use devices by, for example, changing the screen or having the device provide verbal feedback. When accessibility services are enabled, the malicious app may scrape the contents of the WhatsApp screen.
Another option is to steal files stored in the device̵
As complete as the espionage platform is, it suffers from a key limitation – namely the inability to infect devices without first tricking users into making decisions that more experienced people know are not safe. First, users need to download the app from a third-party source. As problematic as the Google Play Store is, it’s generally a more reliable place to get apps. Users must also be socially developed to enable accessibility services for some of the advanced features to work.
Google declined to comment except to repeat that malware was never available in Play.