A new sophisticated Android spyware that masquerades itself as a System Update application. The malware is able to collect system data, messages, images and take over the infected Android devices, it could allow operators to record audio and phone calls, take photos, review browser history, access WhatsApp messages, and more.

“The “System Update” app was identified by zLabs researchers who noticed an Android application being detected by the z9 malware engine powering zIPS on-device detection. “The mobile application poses a threat to Android devices by functioning as a Remote Access Trojan (RAT) that receives and executes commands to collect and exfiltrate a wide range of data and perform a wide range of malicious actions”

Once downloaded the malicious app from a third-party store and installed it, the spyware registers itself with a Firebase command-and-control (C2) server with information such as the presence of WhatsApp, battery percentage, and storage stats. The malware exfiltrates data from the infected devices in the form of an encrypted ZIP file.

The spyware’s actions and exfiltration are triggered in different circumstances, including the creation of a new contact, when a new SMS is received or, a new application is installed by the victims.

The malware receives commands through the Firebase messaging service to start actions like recording audio from the microphone. The stolen data is exfiltrated to a dedicated C2 through POST request. Below the list of commands supported by the spyware:

For avoiding detection and leave no traces, the Android spyware deletes any exfiltrated files as soon as it receives a “success” response from the C2 and also significantly reduce the bandwidth consumption.

“The spyware is capable of performing a wide range of malicious activities to spy on the victim while posing as a “System Update” application.” concludes the report. “It exhibits a rarely seen before feature, stealing thumbnails of videos and images, in addition to the usage of a combination of Firebase and a dedicated Command & Control server for receiving commands and exfiltrate data.”