Cyber researchers spotted a new Android malware hidden behind six different Android applications. That was available for download in Google Play. The six apps include Flappy Birr Dog, Flappy Bird, FlashLight, Win7Launcher, Win7imulator, and HZPermis Pro Arabe. Out of these six apps, five have been removed from Google Play since February 2018.
However, these applications have been downloaded at least 100,000 times by users across 196 countries with the majority of victims residing in India. The affected countries include India, Russia, Pakistan, Bangladesh, Indonesia, Brazil, Egypt, Ukraine, Turkey, United States, Sri Lanka, Italy, Germany, Saudi Arabia, and more.
Researchers from TrendMicro detected spyware dubbed as ANDROIDOS_MOBSTSPY which is capable of stealing information such as user location, call logs, SMS conversations, and clipboard items. The malware uses Firebase cloud messaging to send information to its C2 server.
- Once the malicious application is installed and launched, the malware first checks for the device’s network availability.
- The malware then reads and parses an XML configuration file from its C2 server.
- Then, the malware collects device information such as the language used, its registered country, package name, device manufacturer, and more.
- It then sends the collected information to its C2 server.
- Once executed, the malware waits and then performs the command received from its C2 server via FCM.
- The malware can steal call logs, SMS conversations, contact lists, user location etc based on the command it received from its C2 server.
Malware capabilities
The capabilities of the malware include,
- Stealing and uploading files on the device.
- Stealing additional credentials through phishing attacks.
- Stealing user credentials by displaying fake Facebook and Google pop-ups and display screens.
Most users will not doubt the fake screens or pop-ups and are most likely to fall prey for the attack. When the users provide their username and password for the first time, the malware shows them that the log-in was unsuccessful, but the login credentials have already been stolen by the malware.
