Android malware that combines info/data-stealing and phishing capabilities lurked in Google Play using the guise of legit-looking applications; one of them was installed at least 100,000 times.
Camouflaged as utility apps or games, Mobstspy infected devices primarily in India, although its distribution was worldwide, affecting users in 199 countries.
Researches found a total of six apps that hid the malware in Google Play. Their names are HZPermis Pro Arabe, Flappy Bird, FlashLight, Win7Launcher, Win7imulator, and Flappy Birr Dog.
Stats for most of them showed they were installed up to a hundred times, with two exceptions:
– Win7Launcher, up to 5,000 installations
– Win7imulator, up to half a million installations
Apps that port the Windows theme to an Android phone are bound to enjoy huge popularity.
Phishing for Google & Facebook logins:
The author(s) behind Mobstspy included phishing capabilities that allow it to launch a fake login screen whenever the victim tries to access their Facebook or Google account.
Unless users protect access to their accounts with the two-factor authentication feature their accounts are easily compromised this way. Both Facebook and Google have support for 2FA.
Malware sets sights on all valuable data:
Unlike the run-of-the-mill spyware out there, Mobstspy is interested in a wider range of data present on the compromised devices.
Apart from lifting the contacts, call logs and/or text conversations, it is also fitted with a list of folders to search for images and recorded voice conversations stored by different apps.
The content type it targets can be anything from video, images, audio, or documents, and it looks in folders belonging to specific apps, such as Messenger, Snapchat, WhatsApp, Viber, and call recording apps.
Even the Bluetooth storage location, the phone’s camera and sounds directories are on the list.
The File delivery method:
“Once the malicious application is launched, the malware will first check the device’s network availability. It reads and then parses an XML configure file from its C&C server,” the researchers explain in a blog post yesterday.
The spyware gathers device-related info that helps the attackers keep evidence of the infected devices and target only specific devices in future campaigns.