Spyware is triggered when certain actions are performed, such as adding a new contact.
Researchers have discovered a new "sophisticated" spy app for Android that masquerades as a software update.
According to Zimperium slabs, the malware masquerades as a system update application while quietly infiltrating user and device data.
It should be noted that the sample app detected by the team was found on a third-party app store, not the official Google Play store.
Remote Access Trojan
Once installed, the victim's device is registered with a Firebase command server used to issue commands while a separate command server is used to handle data theft.
The team specifies that data infiltration is triggered when certain conditions are met, such as adding a new mobile contact, installing a new application or receiving an SMS.
The malware is a Remote Access Trojan (RAT) capable of stealing GPS data and SMS messages, contact lists, call logs, harvesting images and video files, recording sounds through the microphone, hijack a mobile device's camera to take photos, examine browser tabs and history, listen to phone calls, and steal operational information from a device, including storage statistics and list of installed applications.
Watch out for WhatsApp
The content of instant messengers is also at risk, as the RAT abuses accessibility services to access these apps, including WhatsApp.v If the victim's device has been rooted, the database records may also be taken. The application can also specifically search for file types such as .puff, .doc, .docks, .axles, and .lax.
The RAT will also attempt to steal files from external storage media. However, since some content, like videos, may be too large to be stolen without affecting connectivity, only thumbnails are infiltrated.
“When the victim uses Wi-Fi, all of the stolen data is sent to the command server, while when the victim uses a mobile data connection, only a specific set of data is sent to the server,” the researchers note.
A "Sophisticated Spy Campaign
Limiting malicious activity based on connectivity is one way to prevent users from suspecting that their device has been compromised. In addition, as soon as the information has been gathered and sent to the command server, the archive files are deleted in order not to be detected.
To ensure that only relevant and recent data is taken, RAT operators have imposed time limits on the content: GPS records are thus infiltrated if the data records contain values less than five minutes old. Photos, too, are subject to a 40-minute time limit. Zimperium describes the malware as part of a "sophisticated spy campaign with complex capabilities."
Earlier this month, Google removed a number of Android apps from the Play Store that contained a banking Trojan dropper. These utility applications, including a virtual private network (VPN) service, barcode recorder and scanner, were used to install mart and AlienBot.