Android Malware disguised as “System Update”

The “System Update” Malware

A new Android security threat that is distributed disguised as a “System Update” has been reported by security researchers.

system update malware

The malware operates as a remote access Trojan (RAT) and comes with a whole set of malicious features that are aimed at stealing different types of information from the compromised Android devices.

According to the information that is available, the threat is being distributed via third-party Android apps and is not present on Google’s Play Store. The spread of the spyware infection is also limited by its inability to replicate on other Android devices that are connected which greatly restricts the number of users that could fall victim. Still, those that get tricked into downloading and installing the malicious “System Update” may suffer from serious data theft.

Collects and exfiltrates all types of information

Security researchers reveal that the data-stealing abilities of this remote access trojan (RAT) can be quite extensive. The malware may take full control of the infected Android phones and steal messages, images, and other data that is stored there and send it to the criminal-operated command-and-control center.

The hackers who are in control of the threat can secretly spy on their victims through the compromised device and record their phone calls, review their browser’s history and bookmarks, and even access their WhatsApp messages and correspondence on other instant messenger apps.

The malware’s espionage capabilities include also searching for files with specific extensions (including .pdf, .doc, .docx, and .xls, .xlsx), inspecting the content of the notifications, recording audio, taking pictures through the cameras,  monitoring the GPS location, exfiltrating information about the device, the apps installed on it, the victim’s phone contacts and more.

Researchers explain how the malware works

A recent analysis of the “System Update” Android threat reveals that the spyware can steal data through root access or through the Accessibility Services. For that, it prompts the victim to enable the feature on the infected device.  

Once the necessary access is gained, the spyware infection scans both the internal and the external storage, harvests data from them, and sends it to the command-and-control servers as soon as the victim connects to Wi-Fi.

Anytime new information is added, such as a new contact, new apps, or new messages, the malware captures that data and sends it to the dedicated command-and-control server that collects all stolen data.

Victims of the new Android infection may face difficulties to detect it as the spyware hides its icon from the menu.

Those who are suspecting a compromise may find more details about the symptoms, malware sample hashes, and other information related to the spyware attack in Zimperium’s detailed report.


About the author

Lidia Howler

Lidia is a web content creator with years of experience in the cyber-security sector. She helps readers with articles on malware removal and online security. Her strive for simplicity and well-researched information provides users with easy-to-follow It-related tips and step-by-step tutorials.

Leave a Comment