Image Source: Pexels
So you saw a notification regarding system updates on your android and quite obediently you tapped the link so that your smartphone can continue to work seamlessly. Okay, then you need to know this.
Recently cybersecurity experts have found a Trojan that steals information targeting Android devices. The spyware is quite efficient and sophisticated thanks to its data-exfiltration capabilities. It can collect data by recording your phone calls and audio as well as collecting browser search history. Earlier, the malware has disguised itself under the names of legitimate software apps. The app is shrewd enough to masquerade itself as a System Update application. It can take control of the devices.
According to an analysis by researchers from Zimperium, a mobile security company, “The spyware creates a notification if the device’s screen is off when it receives a command using the Firebase messaging service.” So the notification saying ‘searching for update’ is actually spyware, not the notification from the Android operating system.
Wondering how it works?
Let me walk you through it. Once the ‘system update application’ aka spyware has been installed in your android, it registers the device with a Firebase command-and-control (C2) server. Information such as storage stats, battery percentage, presence of WhatsApp application is tracked by the spyware. This is done by exporting and amassing any data of interest to the server in the form of a sophisticated encrypted ZIP file.
Now let me tell you something the spyware has some really ‘disturbingly’ amazing stealth-focused capabilities like browser bookmarks, tactics for pilfering contacts, abusing accessibility services, and stealing messages. In addition to that, it also keeps a record of the user’s search history, phone calls, audio, and photos. (Ouch! Sounds quite creepy!)
Image Source: Pexels
Not only that, but it can also keep a good record of data from the device’s clipboard, looks for files from particular extensions, and trace the victim’s location. The Zimperium researchers further added that “The spyware’s functionality and data exfiltration are triggered under multiple conditions, such as a new contact added, new SMS received or, a new application installed by making use of Android’s content Observer and Broadcast receivers.”
The spyware is well-equipped to consolidate all of the data into multiple folders inside the private storage. Once the exfiltration has been done, the malware also deletes the ZIP files after receiving a “success” message from the server. The identity of the targeted victims, the malware authors, and the purpose behind this sophisticated malicious campaign is yet to be known.