An Android Spyware disguised as games & utilities struck more than 100,000 victims in 196 countries before being taken out of Google Play. Detected as ANDROIDOS_MOBSTSPY & dubbed MobSTSPY, the malware initially grabbed attention when it was masqueraded as a called Flappy Birr Dog.
While it is common to find unarmed goods in third party app stores, MobSTSPY managed to infiltrate the authentic & reliable App Store i.e. Google Play with at least six different apps in 2018. These apps include:
- HZPermis Pro Arabe,
- Win7Launcher, and
- Flappy Bird
- Flappy Birr Dog
These apps pose as legitimate & claim to be torches, games & tools for productivity. Some of these have seen 10,000 download from users around the world. Though malware invasion in devices is common, but what makes this case more interesting is the widespread distribution of its applications.
Among the countries where the malware is scattered include Poland, Mozambique, Thailand Iran, Mexico, Tanzania, Vietnam, Algeria, Romania, Cambodia, Italy, Morocco, Malaysia, Kazakhstan, Germany, Iraq, Sri Lanka, Philippines, Argentina, Belarus, Saudi Arabia, the United Republic of Hungary & South Africa.
Threat Behavior of MobSTSPY
Unlike the undistinguished spyware, Mobstspy is scripted to embezzle wider range of data on the compromised devices. To evade detection and to build a strong base the malware after infiltration first detects the device’s network availability. It then reads and parses an XML configure file from its C&C (command and control server) hence registering the device.
It is observed that the malware leveraged Firebase Cloud Messaging (FCM) to communicate with the C&C server & depending on the command received it steals & transfers the data to the threat actors.
The threat behavior of Mobstspy can be categorized into two:
- Information Stealer: The nasty android infection lines its pockets with important user data like user location, text messages, call logs, contact lists, clipboard items & instance downloaded files on android devices. It also collects device information like its registered country, language used, package name, device manufacturer & so on to keep a track of devices for future social engineering attacks. The collected information is sent to C&C server via FCM.
- Phishing Aspect: In addition to info-stealing capabilities, malware is scripted to steal credentials of prominent social networking sites by displaying phishing screen. For instance, forged Facebook and Google login screens are displayed to trick users to enter the credentials. When the user provides the username & password, it returns an unsuccessful login message, but the credentials have already been stolen.
Read More :- Click here