In recent weeks, Zimperium zLabs researchers have revealed insecure cloud configurations that expose user data on thousands of legitimate Android and iOS apps. Now, zLabs is advising Android users on a smart and malicious new Android app.
This latest malware comes in the form of the System Update app to steal data, pictures, messages and take full control of your Android phone. After assuming control, the attackers could record audio and phone calls, view browser history, take pictures and access WhatsApp messages, among other operations.
ZLabs researchers uncovered this alleged System Update application after detecting an application flagged by the z9 malware engine that powers the zIPS on the detection device. An investigation revealed this activity to track an advanced spyware campaign with complex capabilities. The researchers sealed the deal after confirming to Google that such an app never existed and was not scheduled to be released on Google Play.
With a vast list of compromise possibilities, this malware can steal messages from instant messaging systems and their database files by rooting, checking bookmarks, and searching. of default browser, check bookmark history and search from Google Chrome, Mozilla Firefox and Samsung Internet browsers, search files with specific extensions .doc, .docx, .pdf,. xls and .xlsx; check clipboard data and notification content, periodically take pictures through the front or back camera, view installed applications, steal images and videos, monitor via GPS, steal phone contacts and message SMS as well as call log and filter device information such as device name and stored data. Furthermore, the malware can even hide itself by hiding its icon from the device’s menu.
This malware works by running on Firebase Command and Control (C&C) when installed from a non-Google third-party app store, listed under the names “update” and “refreshAllData”. To raise awareness of its legitimacy, the app contains feature information such as WhatsApp presence, battery percentage, storage statistics, Internet connection type, and Firebase messaging service token. . When the user chooses to “update” existing information, the application will penetrate the affected device. Once propagated, C&C receives all relevant data, including the newly created Firebase token.