Detect new Android malware fake system update to track and steal user information
International cybersecurity researchers recently discovered a new Android malware with deep espionage capabilities. After successfully penetrating the target Android system, the malicious code will immediately hide and silently steal many types of important data on the system.
More dangerously, the malware can disguise itself as a system update and is designed to automatically trigger whenever new information is entered into a device.
However, this spyware can only be installed as a 'System Update' app available on third-party Android app stores because it has never appeared on the Google Play Store. This feature greatly reduces the spread of the malware, as most experienced users will avoid installing it in the first place on their systems.
Greedy malware
This Remote Access Trojan (RAT) has the ability to steal data quite 'fearsome'. It can collect and extract a wide range of information from an infected Android device to its command and control server (C2 server), which includes many types of important personal data.
Researchers Zimperium - who first discovered the malicious code - observed the entire process of "data stealing, messages, photos and Android phone hijacking" that the trojan performed.
'Once the target device is in control, the hacker can order malicious code to record audio and phone calls, take pictures, review browser history, access WhatsApp messages and more' , Zimperium experts said.
The malware's ability to steal data on a large scale includes:
- Stealing SMS messages;
- Stealing SMS database files (if root is available);
- Check the default browser's bookmarks and search query;
- Check bookmarks and search history on Google Chrome, Mozilla Firefox and Samsung Internet Browser;
- Search for files with a specific extension (including .pdf, .doc, .docx and .xls, .xlsx);
- Check clipboard data;
- Check the content of announcements;
- Recording;
- Voice call recording;
- Take pictures (via front or rear camera);
- Access the list of installed applications;
- Stealing photos and videos;
- GPS location monitoring;
- Stealing SMS messages;
- Stealing phone contacts;
- Stealing call logs;
- Filter device information (eg installed applications, device name, memory statistics).
After infecting on an Android device, the malware sends some pieces of information to its Firebase C2 server, including statistics about memory, type of internet connection, and presence of applications. apps like WhatsApp, Facebook .
The malicious code will collect data directly if it has root access or will use Accessibility Services after tricking the victim to enable the feature on the compromised device.
It will also scan the external storage for any cached or stored data, then collect and distribute it to C2 servers when the user connects to the Wi-Fi network.
The ability to hide
Unlike other malware designed to steal data, this malware will only be activated using the Android contentObserver and Broadcast receiver when certain conditions are met, such as add a new contact, a new text message, or a new app being installed.
'Commands received through the Firebase messaging service will initiate actions like recording from the microphone and filtering data like SMS messages,' Zimperium said. 'Firebase communication is only used to issue commands and a dedicated C&C server is used to collect stolen data using POST requests'.
The malware will also display a "Searching for update ." fake system update message when it receives new commands from the drivers to disguise its malicious activity.
Additionally, this spyware also conceals its presence on infected Android devices by hiding the icon from the drawer / menu.
To avoid detection, it will only steal the thumb of the video and images it finds, thereby reducing the victim's bandwidth consumption to avoid attracting their attention to background filtering.
Unlike other malware that collects data in bulk, this malware will ensure that it only filters the most recent data, collects location data created and photos taken in the previous few minutes of the crash. multiply.
For now, all activities of this new malware are still closely monitored.
You should read it
- 5 types of data theft you should know to prevent
- BankBot is back on Play Store - an uninterrupted story about malware on Android
- Modular Malware - New stealth attack method to steal data
- Malware spreads through crack software specializing in stealing Facebook, Instagram, and Twitter accounts
- Discover a new kind of malicious code that can record the phone call to extort money
- Even if denied access, thousands of Android applications can still track you
- What is data exfiltration? How to prevent this dangerous behavior?
- 5 types of malware on Android
- Detecting Android malware can easily steal OTP code without the victim knowing
- 7 best anti-theft apps to protect Android device
- Risks from malware and how to prevent it
- New malware discovered that can bypass Windows SmartScreen and steal user data
Maybe you are interested
IBM Unveils Breakthrough Optical Data Transmission Technology That Enables 'Light-Speed' AI Training
How to use the Round function in Excel to round numbers and process data
How to Overwrite Deleted Data on a Drive in Windows 11/10
How to sort data in Excel using Sort is extremely simple
How to stay safe from 'SpyLoan' Android apps that use your data to blackmail you
6 Excel functions to find data quickly