Researchers have discovered new Android malware disguised as a system update for Android smartphones. Once installed, the malware forwards data from the smartphone to the attacker and the phone can be controlled remotely.
Researchers from the security company Zimperium discovered the malware and published the results together with TechCrunch. The app must be installed outside of the Play Store, but if successful, it will connect to the attacker’s server and control the smartphone remotely.
The malware can steal all kinds of data from the victim’s phone, from messages to photos. It is also possible for the attacker to record sound via the microphone and activate the camera. In addition, location data is forwarded.
According to the researchers, it is likely malware created for targeted attacks. The dangerous thing about this malware is that the notification for a system update is difficult to distinguish from an official update.
According to Zimperium CEO Shridhar Mittal, it is a very advanced app. Mittal says the malware has not surfaced in the Play Store. A spokesperson for Google did not want to tell TechCrunch about how they have managed to keep the malware off until now.
Mittal confirmed that the malicious app was never installed on Google Play. When reached, a Google spokesperson would not comment on what steps the company was taking to prevent the malware from entering the Android app store. Google has seen malicious apps slip through its filters before.
This kind of malware has far-reaching access to a victim’s device and comes in a variety of forms and names, but largely does the same thing. In the early days of the internet, remote access trojans, or RATs, let snoops spy on victims through their webcams. Nowadays, child monitoring apps are often repurposed to spy on a person’s spouse, known as stalkerware or spouseware.
“We are starting to see an increasing number of RATs on mobile devices. And the level of sophistication seems to be going up, it seems like the bad actors have realized that mobile devices have just as much information on them and are much less protected than the traditional endpoints,” said Mittal.