Tech News

New Android malware with full range of spying capabilities has been found

Getty Images

Researchers have discovered a new advanced piece of Android malware that finds sensitive information stored on infected devices and sends it to attacker-controlled servers.

The app disguises itself as a system update that must be downloaded from a third-party store, researchers from security firm Zimperium said on Friday. In fact, it’s a remote-access trojan that receives and executes commands from a command-and-control server. It provides a full-featured spying platform that performs a wide range of malicious activities.

Soup to nuts

Zimperium listed the following capabilities:

Stealing instant messenger messages
Stealing instant messenger database files (if root is available)
Inspecting the default browser’s bookmarks and searches
Inspecting the bookmark and search history from Google Chrome, Mozilla Firefox, and Samsung Internet Browser
Searching for files with specific extensions (including .pdf, .doc, .docx, and .xls, .xlsx)
Inspecting the clipboard data
Inspecting the content of the notifications
Recording audio
Recording phone calls
Periodically take pictures (either through the front or back cameras)
Listing of the installed applications
Stealing images and videos
Monitoring the GPS location
Stealing SMS messages
Stealing phone contacts
Stealing call logs
Exfiltrating device information (e.g., installed applications, device name, storage stats)
Concealing its presence by hiding the icon from the device’s drawer/menu

Messaging apps that are vulnerable to the database theft include WhatsApp, which billions of people use, often with the expectation that it provides greater confidentiality than other messengers. As noted, the databases can be accessed only if the malware has root access to the infected device. Hackers are able to root infected devices when they run older versions of Android.

Advertisement

If the malicious app doesn’t acquire root, it can still collect conversations and message details from WhatsApp by tricking users into enabling Android accessibility services. Accessibility services are controls built into the OS that make it easier for users with vision impairments or other disabilities to use devices by, for instance, modifying the display or having the device provide spoken feedback. Once accessibility services are enabled, the malicious app can scrape the content on the WhatsApp screen.

Another capability is stealing files stored in a device’s external storage. To reduce bandwidth consumption that could tip off a victim that a device is infected, the malicious app steals image thumbnails, which are much smaller than the images they correspond to. When a device is connected to Wi-Fi, the malware sends stolen data from all folders to the attackers. When only a mobile connection is available, the malware sends a more limited set of data.

As full-featured as the spying platform is, it suffers from a key limitation—namely, the inability to infect devices without first tricking users into making decisions that more experienced people know aren’t safe. First, users must download the app from a third-party source. As problematic as Google’s Play Store is, it’s generally a more trustworthy place to get apps. Users must also be social engineered into enabling accessibility services for some of the advanced features to work.

Google declined to comment except to reiterate that the malware was never available in Play.

Show More

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
Close

Adblock Detected

Please consider supporting us by disabling your ad blocker