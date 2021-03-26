



Researchers have discovered a new advanced Android malware that finds sensitive information stored on infected devices and sends it to attacker-controlled servers.

According to researchers at security firm Zimperium, the app is spoofing a system update that needs to be downloaded from a third-party store. In fact, it is a remote-access Trojan that receives and executes commands from a command and control server. It provides a full-featured espionage platform that performs a variety of malicious activities.

Zimperium has listed the following features:

Instant messenger message theft Instant messenger database file theft (if root is available) Default browser bookmark and search inspection Bookmark and search history inspection from Google Chrome, Mozilla Firefox, Samsung Internet Browser Specific extension (if root is available) .pdf, .doc, .docx, and .xls, .xlsx) Inspection of clipboard data Inspection of notification content Recording of voice Recording of calls Take pictures regularly (via either front or back camera) List of installed applications Surveillance of image and video theft GPS location Steal SMS messages Steal phone contacts Steal call logs Steal device information (installed applications, device names, storage statistics, etc.) Hide the app by hiding the icon from the drawer / menu

Messaging apps that are vulnerable to database theft include WhatsApp, which is used by billions of people. This is expected to provide higher confidentiality than other messengers. As mentioned earlier, the database can only be accessed if the malware has root access to the infected device. Hackers can root infected devices while running older versions of Android.

Even if a malicious app doesn’t get root, you can trick users into enabling Android accessibility services to collect conversation and message details from WhatsApp. Accessibility services are controls built into the operating system that make it easier for visually impaired and other disabled users to use their devices by changing the display or providing voice feedback to the device. To. Enabling accessibility services can allow malicious apps to scrape content on WhatsApp screens.

Another feature is stealing files stored on the device’s external storage. To reduce the bandwidth consumption that can upset the victim that the device is infected, malicious apps steal thumbnails of images that are much smaller than the corresponding images. When the device is connected to Wi-Fi, the malware sends the stolen data from all folders to the attacker. If only mobile connections are available, the malware will send a more limited dataset.

It’s as full-featured as the Spy Platform, but with important limitations. This means that you can’t infect your device without first tricking the user into making a decision that experienced people know is safe. First, users need to download the app from a third-party source. As problematic as the Google Play store, but generally a more reliable place to get the app. Users also need to do social engineering to enable accessibility services in order for some advanced features to work.

Google declined to comment, except to repeat that the malware wasn’t available in Play.

