14 DAY TRIAL // A sneaky Android piece of malware is disguising itself as a Microsoft Word document to trick users into opening it and triggering its malicious code.
The Android app is mimicking early Windows era malware, by using a common and well-known file icon to make users think it's safe to interact with.
As usual, the malware reaches phones when users install apps from unofficial sources.
If, by any chance, users are so foolish as to tap on a Word document that appears out of nowhere on their home screen, the malware makes them believe nothing has happened by showing an error message that reads, "Installation errors, this software is not compatible with the phone."
The malware steals the user's contact list and SMS messages
While this error popup is being displayed on the screen, the malware does its dirty work under the hood, by starting a few hidden Android OS services that would allow it to tap into various phone data repos, extract details, and control SMS and email functions.
The malware is basically an Android infostealer, one that exfiltrates SMS messages and contact lists.
Zscaler researchers analyzed its source code and found that the malware comes hardcoded with a phone number where it sends an SMS with the handset's IMEI code.
User data is sent to a hardcoded email address
Additionally, an email address can also be found, along with its password, where the malware sends emails with the phone's SMS messages and contact lists.
By accessing this email account, Zscaler researchers were able to determine that around 300+ victims were infected and had their data stolen. The earliest emails go back to October 10, 2015.
An additional calling function is also included. When attackers send a specially formatted SMS message to the victim's phone, the malware intercepts it and starts a phone call to a number contained in the SMS. This feature can be used to spy on users in real time.
Because the app gets administrative rights when installed, users can remove it if they boot their phone in safe mode, deactivate the app from Settings --> Security --> Device Administrator, and then uninstall it from Settings --> Apps --> Uninstall.
