Hackers use malware disguised as Word doc to steal data from Android users

Android malware tricks users into opening document that installs data stealing Trojan

Word doc
Word doc

Hackers have created Android malware that hides itself as a Microsoft Word document in order to trick users into opening it and steal data.

The malware was discovered by IT security firm Zscaler. When triggered, the malware scans all of the smartphone's data and sends it to the hacker via email. The researchers said the attack was reminiscent of early Windows malware attacks with files named with eye-catching titles and common icons to entice victims to open the file.

The malware is often downloaded from an unofficial source and portrays itself as a data file with an icon similar to that used by Microsoft Word documents and is entitled '资料' (Data). It runs with Administrative access and hence cannot be easily uninstalled. 

When installed, Data scans the device for SMS messages and other personally identifiable information such as the IMEI number, SIM card number, device ID, victim's contact information, etc. and sends this to the attacker via email.

As soon as victim tries to start the app, it shows an explicit error stating, "Installation errors, this software is not compatible with the phone" and the icon then disappears from the device screen.

The malware then goes to work stealing SMS messages and the contacts list and sending them back to a hard-coded email address. It also sends an SMS message with the phone's IMEI number.

Researchers said that the campaign started earlier this month and almost 300+ users had fallen prey to this malware. “The attacker was able to successfully retrieve message details and contact lists from the infected users,” said the researchers on a blog post.

The malware was also designed to call phone numbers provided by an attacker via SMS.
“It has a broadcast receiver registered to trigger whenever a new SMS is delivered,” said the researchers. “The malware reads the SMS received from the attacker and acts accordingly.” The feature means that victims can be spied upon in real time.

As the app has admin rights, users can only uninstall the malware if they boot their device into safe mode and deactivate the app from the settings menu, then tap on security, device administrator, and then uninstall it by tapping on settings, then apps, then uninstall.

Chris Boyd, malware intelligence analyst at Malwarebytes, told SCMagazineUK.com that imitating a Word document would suggest distribution by email attachment.

“This is a dangerous mobile threat due to the potential for running up costly SMS bills alongside message theft,” he said. “This could be bad news where a corporate device is concerned.”

He added: “If the distribution method is email, that would work against it as the file wouldn't be authorised to run on the phone by default. It would be likely that IT departments would have disabled the ability to install non-approved programs. Files such as this don't tend to linger on the Play store for too long either, so an ‘official' route onto the phone would be short lived." 

Adam Tyler, chief innovation officer at CSID, told SC the the most unique part of this campaign is the method of delivery used by the authors.

“The majority of Android malware has previously been delivered via unofficial App stores,” he said. “These are stores that are not run by Google and focus on the distribution of cracked or pirated packages. Some countries, such as China, block the official Google App store, meaning that users have no choice but to use unofficial entities for their software needs.”

Catalin Cosoi, chief security strategist at Bitdefender, told SC that IT admins should enforce BYOD policies to restrict software installations from untrusted sources.

“Also, organisations should install a mobile device management solution to have full visibility of mobile devices connected to the corporate network through real-time scanning. This will also help enforce the organisation's security policies on any number of devices,” he added.