While Android is a far more secure operating system than a lot of people give it credit for, malware and spyware can still appear from time to time. Recently, a security firm uncovered a worrisome bit of spyware on Android that disguises itself as a system update.

Zimperium security firm reported last week on a new piece of spyware designed for Android that can steal data without a user’s immediate knowledge, even going so far as hiding its app icon from the app drawer and limiting the amount of data transmitted.

The spyware, which does not require root access, disguises itself as an Android system update to fool users into thinking that the device is only checking for a system update rather than stealing their data. A notification appears that says the device is “Searching for update…” and even uses the Google icon.

Once installed and active, the Remote Access Trojan (RAT) can receive and execute commands on the device to capture and steal data. These actions include:

  • Stealing instant messenger messages;
  • Stealing instant messenger database files (if root is available);
  • Inspecting the default browser’s bookmarks and searches;
  • Inspecting the bookmark and search history from Google Chrome, Mozilla Firefox, and Samsung Internet Browser;
  • Searching for files with specific extensions (including .pdf, .doc, .docx, and .xls, .xlsx);
  • Inspecting the clipboard data;
  • Inspecting the content of the notifications;
  • Recording audio;
  • Recording phone calls;
  • Periodically take pictures (either through the front or back cameras);
  • Listing of the installed applications; 
  • Stealing images and videos;
  • Monitoring the GPS location;
  • Stealing SMS messages;
  • Stealing phone contacts;
  • Stealing call logs;
  • Exfiltrating device information (e.g., installed applications, device name, storage stats); and
  • Concealing its presence by hiding the icon from the device’s drawer/menu.

Notably, apps such as WhatsApp are vulnerable to this spyware when the device is rooted. That’s not possible for the spyware on more recent versions of Android, but out-of-date versions may be vulnerable to the app establishing root access on its own. This serves as a good example of why major Android updates are so important for phones.

To better prevent infect users from discovering the spyware, it only captures and uploads limited sets of data to avoid raising red flags on data usage. For example, instead of sending full-size images, the spyware only captures thumbnails that are much smaller in file size.

Google, in response to a query from ArsTechnica, didn’t have a full statement on the spyware, but did note that is has never been available through the Google Play Store. That means that, thankfully, the majority of Android users have likely never come in contact with the spyware.

More on Android:

FTC: We use income earning auto affiliate links. More.


Check out 9to5Google on YouTube for more news:

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Ben Schoon's favorite gear