Researchers have discovered a new cutting-edge piece of Android malware that finds sensitive information stored on infected devices and sends it to attacker-controlled servers.
The app disguises itself as a system update that must be downloaded from a third-party store, researchers at security firm Zimperium said Friday. In fact, it is a remote access trojan that receives and executes commands from a command-and-control server. It offers a full-featured spy platform that performs a wide range of malicious activities.
Soup to nuts
Zimperium listed the following possibilities:
- Steal instant messenger messages
- Stealing instant messenger database files (if root is available)
- Inspect the default browser’s bookmarks and searches
- Inspect the bookmark and search history of Google Chrome, Mozilla Firefox and Samsung Internet Browser
- Search for files with specific extensions (including .pdf, .doc, .docx and .xls, .xlsx)
- Inspect the clipboard data
- View the content of the notifications
- Record audio
- Record phone calls
- Take regular photos (either through the front or rear camera)
- List of installed applications
- Stealing images and videos
- Tracking the GPS Location
- Steal text messages
- Steal phone contacts
- Steal call logs
- Exfiltrating device information (e.g. installed applications, device name, storage statistics)
- Hide its presence by hiding the icon in the drawer/menu of the device
Messaging apps vulnerable to database theft include WhatsApp, which billions of people use, often with the expectation that it offers more confidentiality than other messengers. As noted, the databases are only accessible if the malware has root access to the infected device. Hackers can root infected devices when using older versions of Android.
If the malicious app does not acquire root, it can still collect conversations and message details from WhatsApp by tricking users into enabling Android accessibility services. Accessibility services are controls built into the operating system that make it easier for visually or otherwise impaired users to use devices, for example by customizing the display or having the device provide spoken feedback. Once accessibility services are enabled, the malicious app can scrape content on WhatsApp screen.
Another possibility is stealing files stored in a device’s external storage. To reduce bandwidth consumption that could alert a victim that a device is infected, the malicious app steals thumbnail images, which are much smaller than the images they correspond to. When a device is connected to Wi-Fi, the malware sends stolen data from all folders to the attackers. When only a cellular connection is available, the malware transmits a more limited set of data.
As comprehensive as the spy platform is, it has one major limitation, which is the inability to infect devices without first tricking users into making decisions that more experienced people know aren’t safe. First, users must download the app from an external source. As problematic as Google’s Play Store is, it’s generally a more reliable place to get apps. Users must also be socially engineered to enable accessibility services for some advanced features to work.
Google declined to comment, except to reiterate that the malware was never available in Play.