BACK

Spyware Disguises as Android Applications on Google Play

Spyware Disguises as Android Applications on Google Playby Ecular Xu and Grey Guo We discovered a spyware (detected as ANDROIDOS_MOBSTSPY) which disguised itself as legitimate Android applications to gather information from users. The applications were available for download on Google Play in 2018, with some recorded to have already been downloaded over 100,000 times by users …

  • 03 Jan 2019
5 min read
Spyware Disguises as Android Applications on Google Play
by Ecular Xu and Grey Guo We discovered a spyware (detected as ANDROIDOS_MOBSTSPY) which disguised itself as legitimate Android applications to gather information from users. The applications were available for download on Google Play in 2018, with some recorded to have already been downloaded over 100,000 times by users from all over the world. One of the applications we initially investigated was the game called Flappy Birr Dog, as seen in Figure 1. Other applications included FlashLight, HZPermis Pro Arabe, Win7imulator, Win7Launcher and Flappy Bird. Five out of six of these apps have been suspended from Google Play since February 2018. And as of writing, Google has already removed all of these applications from Google Play. Figure 1. Flappy Birr Dog download page Information stealing MobSTSPY is capable of stealing information like user location, SMS conversations, call logs and clipboard items. It uses Firebase Cloud Messaging to send information to its server. Once the malicious application is launched, the malware will first check the device’s network availability. It then reads and parses an XML configure file from its C&C server. Figure 2. Example of configure file being taken from a C&C server The malware will then collect certain device information such as the language used, its registered country, package name, device manufacturer etc. Examples of all the information it steals can be seen in Figure 3. Figure 3. Example of stolen information It sends the gathered information to its C&C server, thus registering the device. Once done, the malware will wait for and perform commands sent from its C&C server through FCM. Figure 4. Parse command from the C&C Depending on the command the malware receives, it can steal SMS conversations, contact lists, files, and call logs, as seen from commands in the subsequent figures below. Figure 5. Steal SMS conversations Figure 6. Steal contact list Figure 7. Steal call logs The malware is even capable of stealing and uploading files found on the device, and will do so as long as it receives the commands as seen in Figures 8 and 9 respectively. Figure 8. Steal files from target folds Figure 9. Upload files Phishing capabilities In addition to its info-stealing capabilities, the malware can also gather additional credentials through a phishing attack. It’s capable of displaying fake Facebook and Google pop-ups to phish for the user’s account details. Figure 10. Phishing behavior If the user inputs his/her credentials, the fake pop-up will only state that the log-in was unsuccessful. At which point the malware would already have stolen the user’s credentials. Figure 11. Fake Facebook login pop-up User distribution Part of what makes this case interesting is how widely its applications have been distributed. Through our back-end monitoring and deep research, we were able to see the general distribution of affected users and found that they hailed from a total of 196 different countries. Figure 12. Top countries with the most number of affected users Other
Source: TrendLabs Security Intelligence BlogPublished on 2019-01-03
Blog Details
  • 03 Jan 2019

Newest Articles.

View all
  • 04 Mar 16

    Top 5 Recent Cyber-attacks/hacks and How They Could Relate to your Business.

    Read Article logo
  • 13 Mar 16

    Data leaks, how can they affect Sales and Business Integrity?

    Read Article logo
  • 20 Apr 16

    Common Cyber Security Threats Faced by Businesses and The Impacts

    Read Article logo
  • 11 May 16

    Regular Vulnerability Scans Assessments: Keeping You Safe

    Read Article logo

Get a Quote

Click below and we’ll send you a quote within 48 hours.

quote-form-pattern
  • This field is for validation purposes and should be left unchanged.

Contact Us

Click below and we’ll send you a quote within 48 hours.

quote-form-pattern
  • This field is for validation purposes and should be left unchanged.

Step 1 of 4 - Let’s get started

25%
  • Thanks for your interest in working with us. Please complete the details below and we’ll get back to you within one business day.

Buy Cyber Essentials

price-popup-pattern