Fake Android system update *really* wants to know your location

This spyware looks oddly familiar…

David bisson
David Bisson

Fake Android system update *really* wants to know your location

Android spyware masqueraded as a fake system update on Google Play’s Store in an attempt to log unsuspecting users’ location data.

Google’s researchers removed the SMSVova spyware from its official Android app store after receiving reports about an app called “System Update.” This program claimed it could provide users with the latest Android operating system updates. But blank screenshots on its Google Play Store page, the absence of a proper description for the app, and negative user reviews gave the fake app away.

Update reviews 1
Users’ reviews of “System Update” on Google’s Play Store. (Source: Zscaler)

Alright, so what does this really app do?

Sign up to our free newsletter.
Security news, advice, and tips.

Zscaler’s Shivang Desai answers that question in a blog post:

“As soon as the user tries to start up the app, it abruptly quits with the  message: ‘Unfortunately, Update Service has stopped.’ At this point, the app has the ability to hide itself from the main screen.”

Update icon
App Icon & Error Message. (Source: Zscaler)

That’s not surprising. Neither is the fact that the “app” sets up two processes in the background. The first process, “MyLocationService”, retrieves a user’s last known location and sets it up in Shared Preferences. This service contains code for the second process: a receiver that scans SMS messages for vova-, a default password which allows the attacker to do all sorts of things on an infected device.

Sending the SMS message get faq displays a user manual for some of these commands.

Update get faq in sms
Commands via SMS. (Source: Zscaler)

All that remains is for the attacker to designate a phone number. From there, the spyware will begin logging the device owner’s location and sending it to the attacker. It completes this functionality using the exact same code employed by DroidJack, a remote access tool (RAT) which has also masqueraded as fake Android apps.

Android users can protect themselves against SMSVova, DroidJack, and similar threats by carefully researching each app before they install it. That includes reading the user reviews and looking for signs of suspicious activity (e.g. blank screenshots and no description on a Google Play Store page)

Just to be extra safe, users would also be wise to install a mobile anti-virus solution onto their devices.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

One comment on “Fake Android system update *really* wants to know your location”

  1. David L

    https://www.av-comparatives.org/ recently tested over one hundred of the AV security apps from playstore, and also did an indepth report on some of the top performers about six months ago. Avast is a free app, which does have some ads, but they are tolerable. But the number of features make it a winner. Plus they scored 100% on the malware detection testing.(https://play.google.com/store/apps/details?id=com.avast.android.mobilesecurity )

    But, Malwarebytes offers a pretty good app, free, no ads, that scored 96.0% on defections.
    ( https://play.google.com/store/apps/details?id=org.malwarebytes.antimalware )
    It has some nice features too that I find helpful, like privacy report, and shows running apps in background.

    AVG mobile security, owned by Avast, is another free, ad supported app that scored 100% on detection. And is feature rich.Most of the rest have free trails, then require a subscription.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.