'System Update' Android Malware

Android users are under the threat of a new sophisticated Android malware that poses as a 'System Update' application. The threat was discovered by the infosec researchers recently. According to their findings, the 'System Update' malware exhibits a wide range of threatening functionalities with some rarely seen features, well-established Command-and-Control (C2, C&C) infrastructure with different servers for incoming and outbound communication, as well as detection-avoidance techniques. 

If it is able to infiltrate the user's device, the 'System Update' malware acts as a RAT (Remote Access Trojan) effectively that can collect and exfiltrate data, execute inbound commands, and take control over certain functions of the infected device. It must be noted that the threat hasn't been able to breach the official Google Play store and is instead spread through third-party application platforms. 

A Wide Set Of Sophisticated Functions

The 'System Update' malware exhibits a multitude of threatening capabilities that allow the attackers to conduct various nefarious actions on the compromised Android device. Once established, the threat initiates communication with a Firebase C&C server. During the initial exchange, various data about the infected device is sent including - whether WhatsApp is present on the system, battery charge, storage statistics and Internet connection type. The information alongside a token received from the Firebase messaging service is used to register the device with the C&C. The malware threat uses the Firebase C&C only to receive incoming commands while all exfiltrated data is delivered to a different C&C server via POST requests.

The specific commands received by the threat, trigger different functionalities. The 'System Update' malware can access the microphone and start recording audio or record phone call conversations. The collected data will be saved as a ZIP archive file before being uploaded to the C&C server. The threat pesters the user with requests to enable Accessibility Services repeatedly, and if successful, it would try to scrape conversation and message details from WhatsApp's screen. 

The spyware establishes numerous listeners, observes, and broadcasted intents that trigger specific threatening actions such as collecting clipboard data, spying on SMS, contacts, call logs, notifications, GPS location, etc. The files stored on the compromised device will be scanned and any that is less than 30MB in size and considered valuable such as having .pdf, .docx, .doc, .xlsx, .xls, .pptx, and .ppt extensions will be copied and then exfiltrated to the C&C server. Further private user data such as bookmarks and search history will also be scraped from popular Web browsers such as the Samsung Internet Browser, Google Chrome and Mozilla Firefox. 

The spyware is extremely conscious about the data it collects is as current as possible. It snaps the location data from either the GPS or the network and updates it every 5 minutes. The same technique also is used for any photos taken with the device's camera, with only the interval being increased to 40 minutes. 

Multiple Techniques Hide the Abnormal Activities

Besides its extensive RAT and spyware capabilities, the 'System Update' malware also has been equipped with numerous techniques designed to keep it hidden from any prying eyes. The more basic ones include blocking the icon of the threatening application from showing properly in the drawer tab or menu of the infected device. Any files containing collected information are deleted immediately upon received a successful response from the remote server where the data is being exfiltrated. When collecting files stored on external storages that include numerous images of videos, the spyware focuses on collecting the appropriate thumbnails instead. This method allows the threatening activity to remain unnoticed relatively when compared to the alternative of creating a massive abnormal bandwidth trail, especially. 

If the 'System Update' malware receives a command from the Firebase C&C server while the screen of the compromised device is turned off, it generates a fake notification to mislead the user. The notification pretends to have been generated by the device's operating system by displaying a false 'Searching for update..' message.