Pierluigi Paganini
March 27, 2021
Experts from security firm Zimperium have spotted a new sophisticated Android spyware that masquerades itself as a System Update application. The malware is able to collect system data, messages, images and take over the infected Android devices, it could allow operators to record audio and phone calls, take photos, review browser history, access WhatsApp messages, and more.
“The “System Update” app was identified by zLabs researchers who noticed an Android application being detected by the z9 malware engine powering zIPS on-device detection. Following an investigation, we discovered it to be a sophisticated spyware campaign with complex capabilities.” states the analysis published by Zimperium. “The mobile application poses a threat to Android devices by functioning as a Remote Access Trojan (RAT) that receives and executes commands to collect and exfiltrate a wide range of data and perform a wide range of malicious actions”
The experts shared their findings with Google, which confirmed that the malicious app has never been uploaded on Google Play.
Once downloaded the malicious app from a third-party store and installed it, the spyware registers itself with a Firebase command-and-control (C2) server with information such as the presence of WhatsApp, battery percentage, and storage stats. The malware exfiltrates data from the infected devices in the form of an encrypted ZIP file.
The spyware’s actions and exfiltration are triggered in different circumstances, including the creation of a new contact, when a new SMS is received or, a new application is installed by the victims.
The malware receives commands through the Firebase messaging service to start actions like recording audio from the microphone. The stolen data is exfiltrated to a dedicated C2 through POST request. Below the list of commands supported by the spyware:
In order to avoid detection and leave no traces, the Android spyware deletes any exfiltrated files as soon as it receives a “success” response from the C2 and also significantly reduce the bandwidth consumption.
“The spyware is capable of performing a wide range of malicious activities to spy on the victim while posing as a “System Update” application.” concludes the report. “It exhibits a rarely seen before feature, stealing thumbnails of videos and images, in addition to the usage of a combination of Firebase and a dedicated Command & Control server for receiving commands and exfiltrate data.”
Researchers also shared Indicators of Compromise (IoCs) for this threat.
If you want to receive the weekly Security Affairs Newsletter for free subscribe here.
Follow me on Twitter: @securityaffairs and Facebook
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Android spyware)
[adrotate banner=”5″]
[adrotate banner=”13″]
Hacking / October 07, 2025
