An Android app that falsely claimed to be a tool for keeping smartphones up-to-date with the latest version of the OS was found surreptitiously tracking the physical location of it users using spyware called SMSVova.
SMSVova hides inside a bogus app called System Update and is sent commands by attackers via inbound SMS messages to carry out functions such as setting and changing passwords for the spyware and retrieving location data.
According to researchers at Zscaler, between 1 million to 5 million users had downloaded the application via the U.S.-based Google Play store over the past three years. Zscaler said Google booted the app after being notified of its behavior.
Researchers said the System Update app intentionally mislead users and never disclosed its true intent of collecting location data. The closest the app came to transparency was a Google Play product description that read: “This application updates and enables special location features.”
In an analysis of the software, Zscaler said after the app was installed, users were led to believe the app was malfunctioning when opened. “As soon as the user tries to start up the app, it abruptly quits with the message: ‘Unfortunately, Update Service has stopped.’ At this point, the app has the ability to hide itself from the main screen,” wrote Shivang Desai, a senior security researcher at Zscaler.
After notifying the user the app had stopped working, the app launches the phone’s MyLocationService which captures location data and stores it in the Shared Preferences directory of the phone. To retrieve the location data, the SMSVova spyware comes into play.
SMSVova monitors incoming SMS messages for specific ones that are more than 23 characters in length and contain the text string “vova-” and “get faq.”
“Once the spyware has been installed on the victim’s device, an attacker can send an SMS message ‘get faq’ and this spyware will respond with a set of commands,” according to Zscaler.
Some of those commands include “changing current password” and “setting low battery notification.” According to Desai, those behind the spyware use the SMS commands in order to instruct SMSVova to retrieve and text back location data. The “setting low battery notification” message is used to instruct the phone to text location data when the battery runs low.
It’s unclear why the spyware is collecting location data, but Zscaler said it “could have been used for any number of malicious reasons.”
Desai theorizes that the application has managed to evade detection by VirusTotal and Google Play’s malware detector because of the app’s behavior at the initial stage of startup. Another reason, he said, is the app was last updated in December 2014, meaning the app didn’t face the same stringent analysis by Google as it would today.
According to Google’s most recent Android Security 2016 Year In Review report that came out last month, in 2016 devices that installed applications only from Google Play had fewer than 0.05 percent of potentially harmful applications installed. In 2015, that number was 0.15 percent.
“There are many apps on the Google Play store that act as a spyware; for example, those that spy on the SMS messages of one’s spouse or fetch the location of children for concerned parents. But those apps explicitly state their purpose, which is not the case with the app we analyzed for this report,” Desai wrote.