Feedback Friday Industry Experts Comment on Hive Ransomware Takedown

Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Millions Download “System Update” Android Spyware via Google Play

Millions of users looking to get Android software updates have been tricked into downloading spyware on their devices through the Google Play marketplace, Zscaler reveals.

Millions of users looking to get Android software updates have been tricked into downloading spyware on their devices through the Google Play marketplace, Zscaler reveals.

Posing as a legitimate application called “System Update” and claiming to provide users with access to the latest Android software updates, the spyware made it to Google Play in 2014, and has registered between 1,000,000 and 5,000,000 downloads by the time Google was alerted and removed it from the store.

Instead of delivering to its promise, however, the malware spies on users’ exact geolocation, and can send it to the attacker in real time. It receives commands from its operator via SMS messages, the security researchers explain.

The application’s Google Play page should have been a warning to users that it wasn’t what it appeared to be, given that it displayed blank screenshots and users were complaining about its lack of functionality, yet many still downloaded and installed it. The page also stated that the “application updates and enables special location features.”

When the user attempts to run the installed app, however, an error message is displayed: “Unfortunately, Update Service has stopped.” In the background, the application sets up an Android service and broadcast receiver to fetch the last known location and scan for incoming SMS messages.

The spyware is looking for incoming messages that feature a specific syntax, Zscaler explains: “the message should be more than 23 characters and should contain ‘vova-’ in the SMS body. It also scans for a message containing ‘get faq’.”

The attacker can set a location alert when the device’s battery is running low, and can also set their own password for the spyware (the application comes with the default password “Vova”). After a phone number and password are set, the spyware starts a process to send the device’s location to the attacker.

“The SMS-based behavior and exception generation at the initial stage of startup can be the main reason why none of the antivirus engines on VirusTotal detected this app at the time of analysis,” Zscaler explains.

The application was last updated in December 2014 and managed to evade detection for a long time, but its functionality remained active. What’s more, the security researchers discovered the same code for stealing a victim’s location as the DroidJack Trojan that was discovered several years ago, and which was recently posing as fake Pokemon GO and Super Mario Run games for Android.

“There are many apps on the Google Play Store that act as a spyware; for example, those that spy on the SMS messages of one’s spouse or fetch the location of children for concerned parents. But those apps explicitly state their purpose, which is not the case with the app [in] this report. It portrayed itself as a system update, misleading users into thinking they were downloading an Android System Update,” Zscaler concludes.

Related: Cyberspies Target Middle East With Windows, Android Malware

Related: Android VPNs Introduce Security, Privacy Risks: Study

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Cybercrime

A digital ad fraud scheme dubbed "VastFlux" spoofed over 1,700 apps and peaked at 12 billion ad requests per day before being shut down.

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Chinese tech giant Huawei patched nearly 300 vulnerabilities in its HarmonyOS operating system in 2022.