Millions of users have been tricked into downloading Android spyware disguised as a system update in the Play Store. The app that claims to give users access to the latest Android updates remained undetected in the Play Store for three years and was downloaded between one and five million times.
Experts at Zscaler discovered that the bogus app was posing as a legitimate application called “System Update” and claiming to provide users with access to the latest Android software release.
It has been estimated that the fake application hiding the SMSVova spyware was uploaded in the Google Play in 2014, and has been downloaded between 1,000,000 and 5,000,000 times.
Experts reported the discovery to Google that promptly removed it from the store.
The SMSVova spyware was developed to track the physical location of the users, it was controlled by attackers via SMS messages.
“In our ongoing effort to hunt malware, the Zscaler ThreatLabz team came across a highly suspicious app on the U.S. Google Play Store that has been downloaded between one and five million times since 2014.” reads theanalysis published Zscaler. “Upon analysis, we found it to be an SMS-based Spyware, which can steal and relay a victim’s location to an attacker in real time.”
According to Zscaler, once the app was installed when users try to open it they were displayed the message:
‘Unfortunately, Update Service has stopped.’
Then the app hides itself from the main screen and launches the phone’s MyLocationService which collect location data and stores it in the Shared Preferences directory of the mobile device.
Despite the error message, the spyware sets up an Android service and broadcast receiver:
- MyLocationService: Fetches last known location
- IncomingSMS (Receiver): Scans for incoming SMS message
SMSVova monitors specific incoming SMS messages with specific characteristics, messages with more than 23 characters in length and that contain the text string “vova-” and “get faq.”
It is curious to note that according to the recent Google Android Security 2016 Year In Review report, in 2016 devices that installed applications only from Google Play had fewer than 0.05 percent of potentially harmful applications installed.
“There are many apps on the Google Play store that act as a spyware; for example, those that spy on the SMS messages of one’s spouse or fetch the location of children for concerned parents. But those apps explicitly state their purpose, which is not the case with the app we analyzed for this report,” concluded the analysis.
It is unclear why exactly was the malware focusing on user location alone. The app also hasn’t been updated since December 2014, however, millions of people kept downloading it. Google has now removed it from the store after being alerted, but the app did go undetected since it first appeared in 2014. We are still to hear back from the search giant on why this app remained active for three years in the Play Store.
No comments:
Post a Comment