MobSTSPY spyware weaseled its way into Google Play

News by Robert Abel

Once again a spyware disguised as Android applications has made its way into the Google Play store with some of the malicious apps being downloaded more than 100,000 times by users across the globe last year.

Once again a spyware disguised as Android applications has made its way into the Google Play store with some of the malicious apps being downloaded more than 100,000 times by users across the globe last year.

Detected as ANDROIDOS_MOBSTSPY and dubbed MobSTSPY, Trend Micro researchers said the malware initially grabbed their attention when it was disguised as an app called Flappy Birr Dog.

Upon further investigation, researchers found the the spyware was also hidden in other applications including FlashLight, HZPermis Pro Arabe, Win7imulator, Win7Launcher, and Flappy Bird, according to a 3 January blog post.

The malware has the capability to steal SMS conversations, contact lists, files, and call logs and can steal and upload files stored on the device if the commands are given and uses Firebase Cloud Messaging to send information to its server..

MobSTSPY can also gather additional information via phishing attacks mimicking Facebook and Google credential request pop-ups to steal user’s account details. Even after the victim enters their credentials the pop up will simply state the login was unsuccessful.

"Part of what makes this case interesting is how widely its applications have been distributed," researchers said in the post. "Through our back-end monitoring and deep research, we were able to see the general distribution of affected users and found that they hailed from a total of 196 different countries."

Researchers noted infections in Mozambique, Poland, Iran, Vietnam, Algeria, Thailand, Romania, Italy, Morocco, Mexico, Malaysia, Germany, Iraq, South Africa, Sri Lanka, Saudi Arabia, Philippines, Argentina, Cambodia, Belarus, Kazakhstan, Tanzania and Hungary.

Once infected the malware first checks the device’s network availability then reads and parses an XML configure file from its command and control server thus registering the device. Once done, the malware will wait for and perform commands sent from its C&C server through FCM

Researchers noted that five out of six of the apps had been removed from the Google Play store since February 2018 and that as of writing all of the malicious apps had been removed.

To prevent infections from similar malware, researchers recommend users install a comprehensive cyber-security solution to defend their mobile devices against mobile malware.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events