Trend Micro researchers discovered MobSTSPY malware for Android devices that collects user location information, communications logs, steals files, and information about their orders. According to their allegations, at least 100,000 users around the world have been attacked, after this malware infiltrated the Play Store.
This has been done through several infected applications. "Carriers" of malware include popular games, and among the most downloaded are Flappy Bird, as well as some of its variations (Flappy Birr Dog). Among other applications, according to the number of infected users, Flashlight and various emulators were highlighted.
The first versions of the detected applications were uploaded to Google Play without an active malicious code and their task was to create an infrastructure for attacks that would occur later. Activating a malicious version was most likely months later, when there was already a sufficiently large database of users of these applications.
Barat Mistri, Principal Security Strategist at Trend Micro, said such a scenario was possible because Google rigorously checked new applications, but after several of their updates, when it turned out that there was no malicious code in them, the strictness of the scan significantly decreased. Once an application gets credibility and when it is well received by users, it's much easier to "run" a malicious version on Google Play.
After installation, MobSTSPY checks the availability of the network on the infected device, after which it connects to the command and control server, where it sends information about the device. The attacker can activate a set of various malicious activities, including theft of SMS messages, contact lists and various files, making screenshots, recording sounds, downloading WhatsApp data …
Another mode of action is to activate a phishing attack. Malware displays fake pop-up messages from popular sites, such as Facebook or Google, asking users to log in to their account. After entering the data, users receive a message that logging failed, after which pop-up disappears, along with stolen user names and passwords.
Trend Micro researchers said malware was discovered in 196 countries, with almost a third of India's victims, which can be an indication of where the attackers are operating.
All applications that have been discovered by MobSTSPY – Flappy Birr Dog, Flapy Bird, FlashLight, HZPermis Pro Arabe, Win7imulator and Win7Launcher have been removed from Google Play.