Phony Google Update Spreads Data-Stealing Android Malware

A phony Google update is moving malware onto Android devices. The malware harvests call and SMS information and can steal credit card data.

Android users are being warned of a phony Google update that is pushing malware onto devices.

The attackers behind this scheme are domain squatting URLs that are similar to ones used by Google for legitimate updates, hoping to snare less-than-vigilant users.

Researchers at Zscaler said yesterday in a report that the attackers invested heavily in this tactic to sidestep URL monitoring and security software in place on the device.

“These URLs are observed to be very short lived,” Zscaler said. “And are regularly replaced with newer ones to serve the malware and effectively evade URL based filtering.”

Zscaler also shared a list of the malicious domains:

  • http[:]//ldatjgf[.]goog-upps.pw/ygceblqxivuogsjrsvpie555/
  • http[:]//iaohzcd[.]goog-upps.pw/wzbpqujtpfdwzokzcjhga555/
  • http[:]//uwiaoqx[.]marshmallovw.com/
  • http[:]//google-market2016[.]com/
  • http[:]//ysknauo[.]android-update17[.]pw/
  • http[:]//ysknauo[.]android-update16[.]pw/
  • http[:]//android-update15[.]pw/
  • http[:]//zknmvga[.]android-update15[.]pw/
  • http[:]//ixzgoue[.]android-update15[.]pw/
  • http[:]//zknmvga[.]android-update15[.]pw/
  • http[:]//gpxkumv.web-app.tech/xilkghjxmwvnyjsealdfy666/

Once on the device, the malware connects to a remote site, before sending stolen call logs, SMS data, browser history and any stored banking data, Zscaler said. It also looks for mobile antivirus products on the devices and tries to disable them

The file name of the malware is Update_chrome.apk and once it’s installed, it asks the user to grant it admin permissions. It then registers the device with a command-and-control server, http[:]//varra.top/tapas/gtgtr[.]php, and begins monitoring activity on the device, harvesting call and SMS data in particular.

Zscaler also cautioned that if the victim has the Google Play app installed, the malware will serve up a phony payment page in an attempt to steal credit card numbers, which are then sent to a Russian phone number.

The researchers said, however, that the phony payment screen may have a coding bug since it crashed on a number of Zscaler test devices.

“We are seeing many new URLs dropping this malware actively in the wild.  Such infection of the victim’s device leads to critical information leakage like credit card details, SMS and call logs – which can further lead to financial banking fraud,” Zscaler said. “Once installed, this Infostealer cannot be removed from the phone as the malware does not allow the user to deactivate its administrative access. The only option to remove this malware is a factory reset, which leads to further data loss.”

Google said earlier this month in its annual Android Security Report that security enhancements to the OS have kept potentially harmful applications in check. Google said that 0.15 percent of devices are infected with potentially harmful apps from Google Play downloads, while 0.5 percent of those downloading from third-party app stores are infected.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.