Malware disguised as a Google Chrome update package is targeting Android devices.
The false update package is actually a downloadable APK files, which users launch by tapping on them. If a user is not accustomed to updating apps via the Google Play Store app, they might fall for this trick.
When launched into execution, the Google Chrome update package asks for administrative rights. Since it’s a “Google” Chrome update, most users would most likely grant it permissions.
Once the malware acquired root level permissions, it will begin its malicious behavior, said researchers at Zscaler in a post. This malware is very strong.
Some of the malware’s capabilities include the ability to check for mobile antivirus solutions such as Kaspersky, ESET, Avast and Dr. Web, and terminating their processes. Additionally, it can also monitor incoming and outgoing calls and SMS messages, as well as start or end calls, and send SMS messages.
The most dangerous behavior observed coming from the malware is it shows a popup asking for the user’s credit card details every time the user opens the Google Play Store app.
If users make the mistake of entering these details inside the form, the information will be sent via SMS to a phone number in Russia. Further, the malware also collects browsing history and sends it to a C&C server, along with various other details.
Attackers are using a large collection of domain names to host the malware, which they change at regular intervals. All domains are registered with terms like Android, Google, Chrome, or Update, in order to confuse and fool users, making them think the malware was downloaded from an official Google server.
The only way to remove the malware is to reset the device to factory settings, Zscaler researchers said.