Android spyware masqueraded as a fake system update on Google Play’s Store in an attempt to log unsuspecting users’ location data.
Google’s researchers removed the SMSVova spyware from its official Android app store after receiving reports about an app called “System Update.” This program claimed it could provide users with the latest Android operating system updates. But blank screenshots on its Google Play Store page, the absence of a proper description for the app, and negative user reviews gave the fake app away.
Alright, so what does this really app do?
Zscaler’s Shivang Desai answers that question in a blog post:
“As soon as the user tries to start up the app, it abruptly quits with the message: ‘Unfortunately, Update Service has stopped.’ At this point, the app has the ability to hide itself from the main screen.”
That’s not surprising. Neither is the fact that the “app” sets up two processes in the background. The first process, “MyLocationService”, retrieves a user’s last known location and sets it up in Shared Preferences. This service contains code for the second process: a receiver that scans SMS messages for vova-, a default password which allows the attacker to do all sorts of things on an infected device.
Sending the SMS message get faq displays a user manual for some of these commands.
All that remains is for the attacker to designate a phone number. From there, the spyware will begin logging the device owner’s location and sending it to the attacker. It completes this functionality using the exact same code employed by DroidJack, a remote access tool (RAT) which has also masqueraded as fake Android apps.
Android users can protect themselves against SMSVova, DroidJack, and similar threats by carefully researching each app before they install it. That includes reading the user reviews and looking for signs of suspicious activity (e.g. blank screenshots and no description on a Google Play Store page)
Just to be extra safe, users would also be wise to install a mobile anti-virus solution onto their devices.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.