Spyware which disguised itself as legitimate Android applications to gather information from users, ended up downloaded over 100,000 times by users globally, researchers said.
The spyware, detected as ANDROIDOS_MOBSTSPY by researchers at Trend Micro was available for download on Google Play in 2018.
One of the applications initially investigated was the game called Flappy Birr Dog, said researchers Ecular Xu and Grey Guo. Other applications included FlashLight, HZPermis Pro Arabe, Win7imulator, Win7Launcher and Flappy Bird.
Five out of six of these apps have been suspended from Google Play since February 2018. Google has since removed all of these applications from Google Play.
Once one of these applications has been installed on the victim’s device, the spyware can proceed to stealing information such as SMS conversations, call logs, user location, and clipboard items. The malware sends the collected information to the attacker’s server using Firebase Cloud Messaging, the researchers said in a post.
Upon initial execution, the malware checks the device’s network availability, after which it reads and parses an XML configuration file from its command and control (C&C) server. Next, it collects information such as language used on the device, registered country, package name, manufacturer, etc.
The information is then sent to the C&C server for registration purposes. After this step has been completed, the malware waits for the server to send over commands to execute.
Based on the received commands, the spyware can not only steal SMS messages and call logs, but can also retrieve contact lists and files found on the device.
The malware can also perform a phishing attack to gather credentials from the infected device, the security researchers discovered. It can display fake Facebook and Google pop-ups, thus tricking the user into revealing their account details.
“This case demonstrates that despite the prevalence and usefulness of apps, users must remain cautious when downloading them to their devices,” the researchers said. “The popularity of apps serves as an incentive for cybercriminals to continue developing campaigns that utilize them to steal information or perform other kinds of attacks.”