Hundreds of Thousands Download Spyware from Google Play

Hundreds of thousands of users ended up with spyware on their devices after downloading seemingly legitimate applications from Google Play, Trend Micro security researchers have discovered. 

Detected as MobSTSPY, the malware, which can gather various information from the victims, isn’t new. For distribution, its operators chose to masquerade the threat as legitimate Android applications and submit them to Google Play. 

Trend Micro discovered a total of six such applications, including FlashLight, HZPermis Pro Arabe, Win7imulator, Win7Launcher, Flappy Bird, and Flappy Birr Dog. Available for download in Google Play in 2018, some of these were downloaded over 100,000 times by users from all over the world.

Once one of these applications has been installed on the victim’s device, the spyware can proceed to stealing information such as SMS conversations, call logs, user location, and clipboard items. The malware sends the collected information to the attacker’s server using Firebase Cloud Messaging.

Upon initial execution, the malware checks the device’s network availability, after which it reads and parses an XML configuration file from its command and control (C&C) server. Next, it collects information such as language used on the device, registered country, package name, manufacturer, etc.

The information is then sent to the C&C server for registration purposes. After this step has been completed, the malware waits for the server to send over commands to execute. 

Based on the received commands, the spyware can not only steal SMS messages and call logs, but can also retrieve contact lists and files found on the device. 

The malware can also perform a phishing attack to gather credentials from the infected device, the security researchers discovered. It can display fake Facebook and Google pop-ups, thus tricking the user into revealing their account details. 

After the user provides the credentials, a fake pop-up informs them the log-in was unsuccessful, but at this point the malware has already stolen the credentials. 

“Part of what makes this case interesting is how widely its applications have been distributed. Through our back-end monitoring and deep research, we were able to see the general distribution of affected users and found that they hailed from a total of 196 different countries,” the security researchers note. 

India was affected the most, with over 31% of infections, followed by Russia (7.5%), Pakistan (4.8%), Bangladesh (4.7%), and Indonesia (3.4%). Brazil, Egypt, Ukraine, Turkey, and the United States were also among the top ten most impacted countries. 

“This case demonstrates that despite the prevalence and usefulness of apps, users must remain cautious when downloading them to their devices. The popularity of apps serves as an incentive for cybercriminals to continue developing campaigns that utilize them to steal information or perform other kinds of attacks,” Trend Micro concludes. 

Related: Advanced Android Spyware Remained Hidden for Two Years

Related: ‘TimpDoor’ Malware Turns Android Devices into Proxies