Beware Of This Android Spyware That Poses As A Critical System Update

Don't blindly click that link or assume the notification about a system update that you received is real. Zero-day exploits in popular server applications like Solarwinds and Exchange may grab headlines, but the biggest problems most users face with tech security are of the socially-engineered variety. That's the case once again this week, as new malware for Android poses as a security update, but the payload is much darker. According to security firm Zimperium, that supposed critical patch could really be malware that steals messages and personal data, or even takes over the phone entirely. 

Zimperium first detected a new System Update malware because the application's behaviors triggered detection in the company's zIPS on-device protection on a number of infected devices. The app is a Remote Access Trojan, which works as a backdoor for an attacker to gain access to the device's messaging apps, web browser, and files with specific extensions, including common Microsoft Office file types. Beyond just stealing data, the app can also monitor location via GPS and location services, turn on the microphone and camera, and record phone calls; all while concealing itself from the app drawer. 

Fortunately, Zimperium says that this app is only available via third party stores, and not Google Play. The app then registers the device with Google's Firebase Command & Control including data like the device model, and then grabs a new Firebase token for its own purposes. Attackers then send commands through Google's own Firebase Cloud Messaging instance, and rather than display them as alerts like most apps do, this System Update malware takes the body of the alert and parses it for commands on what data to send back to its makers. 


Snippets of code that replicate what the malware does are included in Zimperium's blog post. It's always up to app developers to decide what to do with incoming notifications, and normally, they just get formatted and displayed on the device. The code for the System Update reads the body and walks through some branching logic to collect the requested data. That information is then stored in the app's private storage sandbox, ready to send back. It can even scrape thumbnails from videos stored on the device. The app also scrapes location and call information in the same manner.

While Microsoft takes a lot of the blame, recent events with Apple and Android malware also prove that no platform is secure. Any device with the System Update app installed should be considered a party line where a third-party is almost certainly listening in. Zimperium doesn't provide any steps for ensuring malware removal. In theory, visiting the device's installed apps and removing it should fix the issue, but a safer bet is a reset and restore. Downloading apps from third parties is always a bit of a gamble, and in this instance, it's the users who lost out.