Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Privacy Android Security

A New Android Spyware Masquerades as a 'System Update' (techcrunch.com) 20

Security researchers say a powerful new Android malware masquerading as a critical system update can take complete control of a victim's device and steal their data. From a report: The malware was found bundled in an app called "System Update" that had to be installed outside of Google Play, the app store for Android devices. Once installed by the user, the app hides and stealthily exfiltrates data from the victim's device to the operator's servers. Researchers at mobile security firm Zimperium, which discovered the malicious app, said once the victim installs the malicious app, the malware communicates with the operator's Firebase server, used to remotely control the device. The spyware can steal messages, contacts, device details, browser bookmarks and search history, record calls and ambient sound from the microphone, and take photos using the phone's cameras. The malware also tracks the victim's location, searches for document files and grabs copied data from the device's clipboard. The malware hides from the victim and tries to evade capture by reducing how much network data it consumes by uploading thumbnails to the attacker's servers rather than the full image. The malware also captures the most up-to-date data, including location and photos.
This discussion has been archived. No new comments can be posted.

A New Android Spyware Masquerades as a 'System Update'

Comments Filter:
  • Non-Story (Score:5, Informative)

    by CastrTroy ( 595695 ) on Friday March 26, 2021 @03:04PM (#61202546)

    What a non-story. Software which wasn't available from the play store and had to be installed manually by the user is causing security problems.

    • Exactly. When I read the summary, I was thinking WTF? A user who installed "update" software outside of the store is either intentionally being stupid and knowingly loading malware or they were convinced to jump through hoops by some scammer in Nigeria to do this. Biggest piece of advice any "normal" user can heed that will make them many times more secure than they are now. If anyone reaches out and contacts you about patching your phone/computer, it's a scam. Same goes for any financial/medical/sensi
    • Yup, so be careful installing that "alternative" firmware that's better than what came with the phone.

    • Re:Non-Story (Score:5, Insightful)

      by notsouseful ( 6407080 ) on Friday March 26, 2021 @04:07PM (#61202716)

      But isn't this what the whole Epic thing is trying to do though? Normalize the behavior of installing applications outside of the Walled Garden? Either you can or you can't. If you can, easily enough for the general population that wants to play Fortnite, it will become normalized. Much like clicking "Yes" on the UAC for every single screensaver you download from the internet. Or pretty much every damn game you want to play these days because they want to execute a DirectX runtime installer to make sure that the libraries are available before they run so they don't simply crash. Maybe I'm getting old but that, in particular, just seems pretty damn wrong - games effectively always run with admin rights.

      I still think it's interesting.

      • I think Epic wants to be able to install an additional secured storefront. Like in Android where you can install the Amazon App Store.

    • by shanen ( 462549 ) on Friday March 26, 2021 @04:13PM (#61202724) Homepage Journal

      Really? The all-powerful moderators of Slashdot think that was insightful? Or they just "admire" the traditional Slashdot negativity? I think it just goes to show FPs should be more carefully selected, though I wouldn't call it an actual abuse of FP. About the actual story, there are two interesting questions, but the linked story addresses neither of them to my satisfaction.

      The first question involves the target. I see two basic options: broad or narrow. If it was broadly targeted, then there should have been a lot of spam trying to encourage people to install it. If narrowly targeted, then the attackers probably would have used individualized email rather than mass spam. But no hint in "discovered" to say how they found it. Might not be email. Perhaps social engineering via the old-fashioned voice call? Delivered on a USB stick? Heck, maybe the attackers send the installation instructions via FAX. ;-)

      The second interesting question is how this relates to the general problem of malware apps. Mostly it looks like an example of why the central distribution points are basically good. The attackers are going to have to include extra BS in their pitch to help the sucker install this one and count on the victim not knowing much about how system updates are supposed to work. I guess this is an argument in favor of spearphishing targeting clueless executives? (Also circumstantial evidence for executive targets in the kind of data captured?) The linked story describes the technologies of this malware as quite dangerous if they can be snuck into an app that Google (or Apple) accepts for distribution.

      Which leads me back to the larger security paradox. The google and Apple want lots of apps to help sell the smartphones, but the more apps the harder it is to check the safety of all of the apps. I don't know much about the Apple side, but I feel like the google copped the plea by making the permissions relatively explicit. You got burned? It was "YOUR OWN FAULT" (and you can't sue us, the google, for your damages) because you clicked on the requested permissions, you silly sucker, you.

      I would repeat my suggestion about fighting the crooks at the money level, but I've never detected comprehension or interest on Slashdot. Even better if someone could explain what's wrong with that solution approach, but I'll just spare y'all the trouble.

      (So much for first light thought? But I wish I had caught the latest UBI story when it was fresh. Now all I can hope for is some Funny stuff over there...)

    • Ok it pops up as a notification saying it is a critical update. Nobody goes anywhere to sideload anything. It looks the same as official updates, more or less.

      I have never installed such a thing and see this. The first two times I tried updating but it did nothing, and now I just ignore it. I think my phone is too old for it.

    • What a non-story. Software which wasn't available from the play store and had to be installed manually by the user is causing security problems.

      The play store is malware that installs even more malware. Having Google play services installed is a security problem.

  • by xack ( 5304745 ) on Friday March 26, 2021 @03:16PM (#61202584)
    Viruses have filled the gap.
    • The updates in Android are more granular. Lots of parts of the system are regularly updated through the Play Store.

  • The malware was found bundled in an app called "System Update" that had to be installed outside of Google Play

    Wow! It's fucking nothing!

    • There's more to this story. I never installed such a thing and get "critical system update" notifications, that do nothing apparently when I click install. I did nothing for this initial infection if it is even that.

  • > Google Play, the app store for Android devices

    Er, no. The app store for Google Android, perhaps.

  • FTFA:

    the malware communicates with the operator's Firebase server, used to remotely control the device. The spyware can steal messages, contacts [etc, etc]

    I thought all apps did this. How is this different?

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (10) Sorry, but that's too useful.

Working...