At the start of this year, new spyware was discovered within a few apps on the Android Google Play store. This spyware, labelled “MobSTSPY” was intended to scrape information from the user’s device and steal while being the least susceptible. A user would unknowingly download a totally legitimate-looking application from the Google Play store with the spyware in it, and upon launching the application they would be prompted with a Facebook or Google login screen. Without even entering any information, in the background the application has already compromised the device and given the hacker the ability to connect to the device and upload files from the device. “MobSTSPY” is capable of dumping contacts, stealing SMS conversations, reading clipboard items, finding the location of the device, take text documents, pictures, audio files, and upload them to the perpetrator’s system.
Today, it is pretty common to have an app ask you to sign into Facebook or Google when first launching it. The reason for this is because a lot of games will allow you to record your progress in the game, collect badges, earn points, and share your progress with others easily by using the linked social media account to do so. The spyware would bring up a promising, yet false login screen for Facebook or Google and once the user enters their info they’ve been compromised. The malicious applications had the most downloads in India and Russia, but still managed to find their way onto people’s devices from about 196 different countries.
The spyware was hidden in an array of applications on the Google Play store. The most common applications the spyware was hidden in were apps such as: a Flappy Bird look-a-like, a flashlight app, a Windows 7 emulator for Android, and other various applications. The way the spyware would retrieve your information is through a C&C server. “MobSTSPY” specifically uses Firebase Cloud Messaging to transfer compromised data to it’s server, then the hacker could access and do as he or she pleased with the stolen information.
Originally Reported by TrendMicro.