A new malicious application, posing as a system software update, steals data and takes control of the smartphone. The virus was discovered by specialists from zLabs.
The malicious software is called System Update and is distributed on the network both as a standalone application and as a “trailer” to other software. According to the study, the virus can steal data – for example, messages in instant messengers, photos and videos, files with the extension .doc, .pdf, .xlsx, call logs and contacts. In addition, the application checks bookmarks and browsing history in Chrome, Firefox and the Samsung browser, views the clipboard, notifications, records phone conversations, periodically takes pictures through any of the cameras. To prevent the owner from suspecting something was wrong, the installed Trojan can hide its icon from the desktop and from the list of applications.
Immediately after installation, the fake System Update asks the system about the percentage of the battery charge, internal storage statistics, the Messaging Service token, as well as the presence or absence of the WhatsApp messenger on the device – messages from this messenger are subsequently stolen from the device. Most of the time the Trojan is inactive, and its functionality can be triggered by adding a contact to the phone, receiving SMS, or installing certain applications that are “interested” in the virus. Pay attention to the trigger for receiving SMS – it is through the “Firebase Messaging Service” that the malware receives remote commands from its “bosses”. In particular, sound recording from a microphone is initiated in this way.
The spyware collects everything it needs into a ZIP archive, sends it to the server, and after confirming that the upload was successful, it immediately deletes the archive from the device. Another nuance: since photos and videos can be very heavy, the virus steals and sends to the server only thumbnails from the smartphone gallery – and it becomes more difficult to detect it due to a constant traffic leak. When the device is idle, the Trojan displays a “Search for updates” message on the lock screen, which is very similar to the Android system alert.
The way to defend against this invention is not to install apps from third party stores or random sites. Google has officially confirmed that there has never been a System Update Trojan in the Play Store, which means it can only be obtained from unofficial or pirated sources.