New Android malware hit more than 100,000 users in 196 countries

• A new Android malware was hidden behind six different Android applications that were available in Google Play, out of which five apps were removed from Google Play in February 2018.
• The applications have been downloaded 100,000 times by users in 196 countries, with the majority of victims residing in India.

Researchers spotted a new Android malware hidden behind six different Android applications that were available for download in Google Play. The six apps include Flappy Birr Dog, Flappy Bird, FlashLight, Win7Launcher, Win7imulator, and HZPermis Pro Arabe. Out of these six apps, five have been removed from Google Play since February 2018.

However, these applications have been downloaded at least 100,000 times by users across 196 countries with the majority of victims residing in India. The affected countries include India, Russia, Pakistan, Bangladesh, Indonesia, Brazil, Egypt, Ukraine, Turkey, United States, Sri Lanka, Italy, Germany, Saudi Arabia, and more.

Modus Operandi

Researchers from TrendMicro detected spyware dubbed as ANDROIDOS_MOBSTSPY which is capable of stealing information such as user location, call logs, SMS conversations, and clipboard items. The malware uses Firebase cloud messaging to send information to its C2 server.

• Once the malicious application is installed and launched, the malware first checks for the device’s network availability.
• The malware then reads and parses an XML configuration file from its C2 server.
• Then, the malware collects device information such as the language used, its registered country, package name, device manufacturer, and more.
• It then sends the collected information to its C2 server.
• Once executed, the malware waits and then performs the command received from its C2 server via FCM.
• The malware can steal call logs, SMS conversations, contact lists, user location etc based on the command it received from its C2 server.

Other capabilities of the Malware

The capabilities of the malware include,

• Stealing and uploading files on the device.
• Stealing additional credentials through phishing attacks.
• Stealing user credentials by displaying fake Facebook and Google pop-ups and display screens.

Most users will not doubt the fake screens or pop-ups and are most likely to fall prey for the attack. When the users provide their username and password for the first time, the malware shows them that the log-in was unsuccessful, but the login credentials have already been stolen by the malware.