Zscaler researcher Viral Gandhi said in a blog post that the malware's author uses domain squatting on several URLs that mimic those of a Google Android update in order to trick users and spread the infostealer. He added the fake URLs are very short lived being, regularly replaced with newer ones to serve the malware and effectively evade URL based filtering.
The malware snaps up a wide variety of information including call and SMS logs, browser history and sets the victim up to have their payment card information stolen, he said.
An incident begins when the victim unknowingly visits the malicious website. The person is then presented with a pop-up alert that uses scare tactics to encourage them to install the malware-laced update.
“As part of the installation, the malware will ask for administrator privileges that allow it to terminate antivirus applications running in the background,” Zscaler Director of Security Research Deepen Desai told SCMagazine.com via emailed comments, adding all Android versions are susceptible to this attack.
The pop up presenting itself as a Chrome Update alert is part of a common theme being seen in recent malicious android application packages.
“The user sees a popup indicating that their device is infected with a virus and asks them to update to clean up infection,” Desai said.
Once fully embedded on a phone the malware gets to work. Its first task is to connect with the command and control (C2) server, then it begins to monitor SMS and call operations sending the information along to the C2 server.
Not content with just swiping this personal information, the malware then launches a fake payment page when the person opens the Google Play Store. The malware then steals any payment card information that the owner may put into the form.
Desai recommends that users disable the “Unknown Sources” option on the device to prevent infection.
Eliminating the malware once it is installed requires a user to perform a factory reset, Desai said.