14 DAY TRIAL // One thing that Android users should know about their devices is that system updates come automatically and do not require downloading and installing any other tool. This needed to be said because millions of users looking to get the latest Android software updates fell victim to a trick on the Google Play marketplace by downloading a spyware-infested app.
According to security researchers from Zscaler, an app called "System Update" posed as a legitimate app in the Google Play Store. It claimed to provide users with access to the latest Android software updates, which is not something that a third-party app can do. The spyware made its way to the Store in 2014 and had between 1 and 5 million downloads by the time it was discovered.
In the meantime, Google has been alerted and the app has been removed. After three years, however, it quite possibly did a lot of damage. The app was used to spy on a user's exact geolocation, which could be used for a wide range of malicious purposes.
Taking a look at the app, you could find loads and loads of bad reviews with people complaining that the app wasn't working. That, alone, should have been a dead giveaway. If that didn't help, however, the users went on, saying that as soon as they tried to open the app, it just said "Unfortunately, System Updates has stopped," while others said their phones started freezing and running slow. Other indications that this wasn't a proper app was the lack of screenshots attached to the app or the lack of a proper description.
"The app in this analysis portrays itself as a system update and does not mention in its description about tracking the victim. As shown in the screenshot below, it does not mention that it will send location information to a third party," Zscaler points out.
Working in the background
As mentioned in the user reviews, once launched, the app quits with the message "Unfortunately, Update Service has stopped." This does not mean the app stops working, just that it hides itself from the main screen. Instead, the spyware sets up an Android service and broadcast receiver, fetching last known location of the users and scanning for any incoming SMS messages.
"This piece of code is designed to look for incoming SMS messages with a particular syntax, in which the message should be more than 23 characters and should contain 'vova-' in the SMS body. It also scans for a message containing 'get faq.' Once the spyware has been installed on the victim’s device, an attacker can send an SMS message 'get faq' and this spyware will respond with a set of commands," the researchers point out.
The app has avoided detection for a long time. Its last update was in December 2014, but people continued to install it on their devices.