Android spyware that made users vulnerable to cyber-attacks has been unearthed in the Play Store by IT security researchers at Zscaler. They claim that the Android spyware dubbed SMSVova, which remained hidden for three years, works under the disguise of an update. In reality, it is malware designed to attack the user’s smartphone and extract information about their location in real-time.

android spyware
cocoparisienne / Pixabay

 How researchers identified the spyware

The researchers first grew suspicious about the app when they saw a number of negative reviews in which users stated that the app does not update Android and simply slows down the phone, further weakening its battery.

“Just a waste of space, if I tried to open the app it will say ‘unfortunately system updates have stopped,” read one comment, according to ZDNet.

Another user who tried to start the app received a quick message on the screen saying, “Unfortunately, Update Service has stopped.”

Various other hints dropped by users, such as blank screenshots and the lack of a precise description of what the function of the app is supposed to be also led to suspicion among the researchers. The only information that the store page provided about the “SystemUpdate” app was that it offers updates and turns on a special location feature. However, there was no mention of what the app actually does.

How it worked

The researchers stated that the spyware was equipped with commands that could extract the last known location of the victim and also track incoming texts from the specific term “get faq.” After successful installation, attackers would drop a message to the infected device to get the response, notes IB Times.

Further, the researchers state that the malware was downloaded between 1 million and 5 million times since it first appeared in 2014. In a shocking development, Zscaler also found that the current spyware is sharing code with the dreaded malware called DroidJack, which was discovered in 2015 and performs similar functions.

DroidJack used to control the victim’s device, read their emails, record their conversations and track their locations. In October 2015, according to the BBC, law enforcement arrested a 28-year-old suspect believed to be behind the malware.

Other recent threats affecting Android

Although Google claims and perhaps does all it can to save its roughly 1.4 billion Android users from any such malware, there have been many instances of malware and also ransomware that get into phones with malicious intent.

Only recently, Android users were attacked by banking malware which appeared as a flashlight app. It is a more advanced version of traditional Trojans, as it can adjust its functionality dynamically. The Trojan can hack your banking credentials. It can also display a fake screen which looks very similar to legitimate apps and lock the device to make sure that users do not get a hint of anything wrong with their smartphones.

Further, the Trojan can successfully track messages and display a fake notification to bypass two-factor authentication. The fake flashlight malware can affect all the Android versions because of its flexibility. The Trojan, detected by ESET, was uploaded to Google pPay on March 30 and installed by about 5,000 users, notes welivesecurity.