Posing as a legitimate application on Google Play called “System Update” and claiming to provide users with access to the latest Android software updates, some spyware made it to the marketplace in 2014.
The app registered between one million and five million downloads by the time Google was alerted and removed it from the store.
Instead of delivering to its promise, however, the malware spies on users’ exact geolocation, and can send it to the attacker in real time. It receives commands from its operator via SMS messages, said researchers at Zscaler.
The application’s Google Play page should have been a warning to users it wasn’t what it appeared to be because it displayed blank screenshots. The page also said the “application updates and enables special location features.”
When the user attempts to run the installed app, however, an error message is displayed: “Unfortunately, Update Service has stopped.” In the background, the application sets up an Android service and broadcast receiver to fetch the last known location and scan for incoming SMS messages.
The spyware is looking for incoming messages that feature a specific syntax.
“The message should be more than 23 characters and should contain ‘vova-’ in the SMS body. It also scans for a message containing ‘get faq’,” said researchers at Zscaler.
The attacker can set a location alert when the device’s battery is running low, and can also set their own password for the spyware (the application comes with the default password “Vova”). After a phone number and password are set, the spyware starts a process to send the device’s location to the attacker.
“The SMS-based behavior and exception generation at the initial stage of startup can be the main reason why none of the antivirus engines on VirusTotal detected this app at the time of analysis,” Zscaler said.
The application was last updated in December 2014 and managed to evade detection for years.