The fact that the Android updates come automatically and do not require installing any other tool appears to be rather disturbing. The problem with these updates is the numerous users who fell victims to a trick on the Google Play Store by downloading a spyware-infected application.
The Zscaler security experts claim that an application named “System Update” posed as a legitimate app in the Google Play Store. It promised users to provide them an access to the latest Android software updates, though, this can’t be done by a third-party app indeed.
The Android spyware entered the Google Play Store in 2014, and by the time it was noticed, it managed to reach between 1 and 5 million downloads. However, being alerted about the spyware, Google removed the app immediately.
The problem with the Android spyware though, is that despite being deleted from the store, it did a lot of damage. For instance, the application was used to spy on users’ location, which could be used for various malicious reasons.
If you check upon the spyware, you could find tons of bad reviews by people complaining that the application wasn’t working. This, by itself, should have been a dead giveaway. However, in case it didn’t help, users went on, saying that as soon as they tried to open the application, it stated “Unfortunately, System Updates has stopped”, while others’ phones started freezing and running slow.
Among the other indications that the spyware wasn’t a proper application was the lack of screenshots attached to the app, as well as the lack of a proper description.
“The app in this analysis portrays itself as a system update and does not mention in its description about tracking the victim. As shown in the screenshot below, it does not mention that it will send location information to a third party,” Zscaler states.
As users have said, being launched on the PC, the application stops, displaying the message “Unfortunately, Update Service has stopped.” Though, this does not mean that the application stops working, and just that it hides itself from the main screen. Instead of showing on it, the spyware sets up an Android service and broadcast receiver, fetching the users’ last known location and scanning for any incoming SMS messages.
“This piece of code is designed to look for incoming SMS messages with a particular syntax, in which the message should be more than 23 characters and should contain “vova-” in the SMS body. It also scans for a message containing “get faq.” Once the spyware has been installed on the victim’s device, an attacker can send an SMS message “get faq” and this spyware will respond with a set of commands,” the experts said.
According to security researchers, the malicious application has avoided detection for years. Eventhough its last update was in December 2014, the spyware kept being installed on users’ devices.