Researchers have discovered a new advanced piece of Android malware that finds sensitive information stored on infected devices and sends it to attacker-controlled servers.
The app disguises itself as a system update that must be downloaded from a third-party store, researchers from security firm Zimperium said on Friday. In fact, it’s a remote-access trojan that receives and executes commands from a command-and-control server. It provides a full-featured spying platform that performs a wide range of malicious activities.
Soup to nuts
Zimperium listed the following capabilities:
- Stealing instant messenger messages
- Stealing instant messenger database files (if root is available)
- Inspecting the default browser’s bookmarks and searches
- Inspecting the bookmark and search history from Google Chrome, Mozilla Firefox, and Samsung Internet Browser
- Searching for files with specific extensions (including .pdf, .doc, .docx, and .xls, .xlsx)
- Inspecting the clipboard data
- Inspecting the content of the notifications
- Recording audio
- Recording phone calls
- Periodically take pictures (either through the front or back cameras)
- Listing of the installed applications
- Stealing images and videos
- Monitoring the GPS location
- Stealing SMS messages
- Stealing phone contacts
- Stealing call logs
- Exfiltrating device information (e.g., installed applications, device name, storage stats)
- Concealing its presence by hiding the icon from the device’s drawer/menu
Messaging apps that are vulnerable to the database theft include WhatsApp, which billions of people use, often with the expectation that it provides greater confidentiality than other messengers. As noted, the databases can be accessed only if the malware has root access to the infected device. Hackers are able to root infected devices when they run older versions of Android.
If the malicious app doesn’t acquire root, it can still collect conversations and message details from WhatsApp by tricking users into enabling Android accessibility services. Accessibility services are controls built into the OS that make it easier for users with vision impairments or other disabilities to use devices by, for instance, modifying the display or having the device provide spoken feedback. Once accessibility services are enabled, the malicious app can scrape the content on the WhatsApp screen.
Another capability is stealing files stored in a device’s external storage. To reduce bandwidth consumption that could tip off a victim that a device is infected, the malicious app steals image thumbnails, which are much smaller than the images they correspond to. When a device is connected to Wi-Fi, the malware sends stolen data from all folders to the attackers. When only a mobile connection is available, the malware sends a more limited set of data.
As full-featured as the spying platform is, it suffers from a key limitation—namely, the inability to infect devices without first tricking users into making decisions that more experienced people know aren’t safe. First, users must download the app from a third-party source. As problematic as Google’s Play Store is, it’s generally a more trustworthy place to get apps. Users must also be social engineered into enabling accessibility services for some of the advanced features to work.
Google declined to comment except to reiterate that the malware was never available in Play.