Researchers at Zimperium zLabs have discovered a sophisticated Android app that masquerades as a software update. It appears to be an update for the Android mobile operating system (OS), but it actually exfiltrates data about users and their mobile devices. This malware is similar to other Android apps that Google discovered in its Play Store during early March 2021, which infect target applications with Trojan horse tools like AlienBot and mRAT. These apps included a barcode scanner, recorder and virtual private network (VPN) service.
Zimperium researchers discovered many unsecured cloud configurations during March, 2021 that exposed user data to thousands of legitimate apps for both the Android and iOS mobile OSs. This investigation also revealed an app described as an Android system update that Zimperium’s zIPS on-device detection solution flagged as malware. Closer examination showed that this app was part of a spyware campaign with advanced capabilities. The additional discovery that this app has never existed on Google Play confirmed its function as malware.
The app’s first action after installation is to register the infected device with a Firebase command-and-control (C2) server that issues commands to the device. A separate C2 server then manages the exfiltration of data from the device. The Zimperium team reports that several conditions activate the app, including the installation of an app, addition of a contact or receipt of an SMS message.
Researchers classify this malware as a Remote Access Trojan (RAT), which controls the target system through a remote network connection. This particular RAT is able to exfiltrate many types of data, including the following:
It can also obtain operational information on the device such as installed application and storage statistics. Additional functions of the RAT include hijacking the target device’s camera and microphone to record audio, image and video files. Furthermore, it can record telephone calls and review browser bookmarks and history. The RAT also uses accessibility services to access instant messaging services like WhatsApp.
Additional functions are possible when the target device is rooted, meaning the user has administrative access to the device. These functions primarily include exfiltrating database records and files of specific types, including those with the following extensions:
The RAT can also copy file stored in external locations, although the size of these files must be limited to avoid impacting connectivity. As a result, it only copies thumbnail images in this manner.
Researchers are still developing methods for removing the RAT from infected devices. So far, the best means of detecting them include noticing when your device is transmitting more data to the internet than it should, although this malware uses several strategies to avoid such detection. The RAT sends all the data it obtains to the C2 server when the device has a Wi-Fi connection. However, it limits transfers to specific types of data when the device only has a mobile data connection, as users are more likely to detect activity through this connection.