Zimperium zLabs researchers revealed unsecured cloud configurations exposing user data across thousands of legitimate Android and iOS applications. Now, zLabs is advising Android users about a clever and malicious new Android app.
This malware takes the form of a System Update application in order to steal data, images, messages and usurp control over entire Android phones. After assuming control, attackers can record audio and phone calls, view browser history, take photos, and access WhatsApp texts.
zLabs researchers uncovered this alleged System Update app after detecting an application flagged by a z9 malware engine powering zIPS on-device detection. An investigation showed this activity to trace to an advanced spyware campaign with intricate capabilities.
This malware works by running on Firebase Command and Control (C&C) upon installation from a non-Google third-party apps store, listed under the names “update” and “refreshAllData”. To enhance its sense of legitimacy, the app contains feature information such as the presence of WhatsApp, battery percentage, storage statistics, type of internet connection, and Firebase messaging service token.
Once the user selects to “update” the existing information, the app infiltrates the affected device. Upon dissemination, the C&C receives all relevant data, including the newly generated Firebase token.