The research team at technology company Zscaler has unearthed new Android Infostealer malware which is capable of harvesting call logs, SMS data, browser history and banking information and sending them to a remote command and control server.
What’s more, the firm says the malware, which disguises itself as a Google Chrome update, also has the ability to go unseen by checking for well-known installed anti-virus applications such as Kaspersky, ESET and Avast and terminating them.
Noted below are some examples of URLs where the Infostealer is being downloaded, according to Zscaler:
• http[:]//ldatjgf[.]goog-upps.pw/ygceblqxivuogsjrsvpie555/
• http[:]//iaohzcd[.]goog-upps.pw/wzbpqujtpfdwzokzcjhga555/
• http[:]//uwiaoqx[.]marshmallovw.com/
• http[:]//google-market2016[.]com/
• http[:]//ysknauo[.]android-update17[.]pw/
• http[:]//ysknauo[.]android-update16[.]pw/
• http[:]//android-update15[.]pw/
• http[:]//zknmvga[.]android-update15[.]pw/
• http[:]//ixzgoue[.]android-update15[.]pw/
• http[:]//zknmvga[.]android-update15[.]pw/
• http[:]//gpxkumv.web-app.tech/xilkghjxmwvnyjsealdfy666/
The file that is downloaded is called “Update_chrome.apk”, and when installed it asks the user for administrative access. Once the device is infected, the malware sets about harvesting SMS and call data, but most worryingly, if the user tries to open the play store they are presented with a bogus payment page which asks for credit card information. If this is filled in, the Infostealer sends the card details to a Russian phone number.
Lastly, the malware does not allow the user to deactivate its administrative authorization and so it can’t be removed from the phone unless a factory reset is carried out on the device, which of course results in further data loss.
“Nowadays we have more and more valuable information in our mobile phones which makes them a profitable target for cyber-criminals,” Luis Corrons, PandaLabs Technical Director at Panda Security told Infosecurity. “It also helps hackers to have one operating system that has most of the market share (Android), so they only have to focus on developing for it, and have a good number (hundreds of millions) of potential victims. On top of that, Android is more open than other OS as it allows you to install apps without using the official store.”
Corrons added that to avoid being hit, users should only install apps from the original store, as most infections come from apps installed through web downloads or non-official stores, and they should also be using good anti-virus and keeping OS and apps updated.
UPDATE: since publication ESET has issued the following statement:
“ESET detected this malware last year, thus no real update from Zscaler. In fact, ESET detected the threat as early as June 2015 as Android/Spy.Agent.LX, and while it is true that the code tries to terminate various security solutions, in the case of ESET Mobile Security – it does not work. With our own self-protection mechanisms in place, the malware will not succeed in killing or removing ESET Mobile Security. Furthermore, the factory reset being recommended in the news story can lead to further data loss. With security solutions like ESET Mobile Security – we not only detect the threat, but we are blocking infected domains. And, the AV killing component mentioned in the article is not successful in our case.”