Android spyware pretends to be Google to avoid detection and removal
Android spyware disguises itself as Google Play, Youtube, Google, or a VOIP calling app Botim and is almost impossible to remove from a phone.
Android spyware that has previously targeted victims in the Middle East, primarily people in the Palestinian territories, have incorporated new features into their malicious apps that make them more resilient to actions by users, who might try to remove them manually, and to security and web hosting companies that attempt to block access to or shut down their command-and-control server domains.
Spyware was attributed to an advanced persistent threat (APT) actor group called C-23 ( GnatSpy, FrozenCell, or VAMP).
According to Sophos researchers, apps purport to install updates on a target’s phone and usually use names as App Updates, System Apps Updates, or Android Update Intelligence. Sophos suspects that the malicious links to downloads are delivered via SMS. To the best of researchers’ knowledge, none of the apps have been hosted on Google Play Store.
“Once installed, the spyware sends unique, identifiable device parameters to its command-and-control server. One of the newer features of this variant is that it will initially use a hardcoded C2 address to communicate but also contains code that allows the operators of the spyware to push down a new address. This ability can keep the malware functional if one or more of the C2 server domains is taken down. The new variants did not conceal or obfuscate the C2 server address in any way,” Sophos said.
If the installation is successful, the malicious app collects SMS, contacts, call logs, images, documents. It also records audio, incoming and outgoing calls, including WhatsApp calls, takes screenshots and records video of the screen, and takes pictures with the victim’s camera.
Spyware disguises itself by changing its icon to Google Play, Youtube, Google, or Botim to make it invisible to the victim.
“Once this happens, the next time the spyware app is opened, the spyware opens the real app whose disguise it wears, i.e., it opens Chrome if it disguises itself as Chrome, thereby giving an illusion to the user that the app is legit,” Sophos explained.
What is more, spyware can cancel notifications from built-in security apps (such as Samsung SecurityLogAgent, Xiaomi MIUI SecurityCenter, Huawei SystemManager) and Android system apps, package Installer, and its notifications.
“To avoid falling prey to such malicious apps, users should only install apps from trusted sources such as Google Play. Updating Android OS and applications should be done via Android Settings and Google Play, respectively, instead of relying on a third-party app,” Sophos said.
Users should be particularly wary of apps asking for sensitive permissions such as device admin, notification access, or those requiring superuser/root access.
Related articles from Cybernews:
Subscribe to our newsletter