An astounding discovery was made by a cyber security company that unveiled another Android malware. This one can access your phone’s GPS and then send your location to attackers, and the worst and scariest thing of all – it was sitting right there in the Google Play store – for three whole years.
The malware defenses by researchers from the company called Zscaler, and they said that it’s known as SMSVova Android spyware, and it poses as just another one of system updates that can be found in the Play Store. It first appeared back in 2014, and since then it was downloaded between one and five million times.
The description says that by downloading it, users will receive the newest system updates for their Android smartphones, but this is really a malware that hides on the phone and streams the exact location of the device, and therefore the user themselves, all in the real time.
Many of the users weren’t even aware that they’ve been infected by a spyware, and the proof of this were negative comments that complain that the app doesn’t update anything and that their phones are slow and the batteries get drained quickly. This is the main reason why the app made Zscaler’s researchers suspicious in the first place. Further investigation revealed that the app doesn’t even explain what updates it will make, and then the researchers discovered that it’s not doing anything to update the system. Instead, it’s a spyware that’s sending the location of every device that ever downloaded it.
After the app is downloaded and the user tries to run it, a message saying “Unfortunately, Update Service has stopped” is displayed, and the app hides, and starts sending the location of the user. Not only that, but it sets up an SMS receiver, and scans the messages, waiting for the one with the further instructions. If the text that says ‘get faq’ arrives in the device from the hacker, the spyware continues with the attacks.
This reliance on SMS is probably what allowed the malware to remain undetected in the last three years, the researchers said. It’s still unknown who the attackers are, and why do they need the locations of their victims.
What’s known so far is that the app wasn’t updated since December 2014, but that doesn’t mean that it’s not still operational, since it infected hundreds of thousands of others since then. It’s also believed that the attacker specializes in targeting Android systems since the malware shares a code with another threat called DroidJack Trojan.
The fake app has been removed from Google Play store after the company reported it to the Google’s security, but all those who downloaded it still have an infected device.
Even though Google is doing an amazing job at keeping Android’s 1.4 billion users safe from attacks like this, SMSVova is the proof that some of the more clever ones still manage to sneak past Google’s defences. Google has yet to comment on how and why malware managed to remain undetected for three years while pretending to be one of their updates.