A piece of malware pretending to be an Android system update was downloaded over 1 million times since launch 2014. The malware, dubbed SMSVova, spied on a victim’s location and relayed it to the attacker in real time.
The app, named “System Update” and sporting official-looking Android art, was spotted by security researchers at Zscaler and then removed by Google soon after disclosure.
When a user starts the newly downloaded app, it quits and pops up a message alerting the user that “Unfortunately, Update Service has stopped.” It then goes into hiding but remains active.
The malware watches a victim’s location and incoming SMS messages. The attacker sends a message like “get faq” and the infected device responds with a set of commands allowing for constant monitoring or conditional alerts on a victim’s location.
“There are many apps on the Google Play Store that act as a spyware; for example, those that spy on the SMS messages of one’s spouse or fetch the location of children for concerned parents,” the Zscaler researchers wrote. “But those apps explicitly state their purpose, which is not the case with the app we analyzed for this report. It portrayed itself as a system update, misleading users into thinking they were downloading an Android System Update.”
This incident, which lasted almost three years and may have impacted as many as 5 million devices, is being used to criticize the Google Play store’s lack of policing of dangerous malware. This is far from the first time a case like this has been reported, including another Zscaler spyware discovery from earlier this year.
From just earlier this week, new banking malware was spotted in the Google Play store posing as an app called “Funny Videos 2017.” With as many as 5,000 installs, this particular bank credential phishing malware had a much smaller impact than SMSVova but still managed to reach a number of victims nevertheless.