System Update: New Android Malware

Researchers have discovered a new Android app called “System Update” that is a sophisticated Remote-Access Trojan (RAT). From a news article:

The broad range of data that this sneaky little bastard is capable of stealing is pretty horrifying. It includes: instant messenger messages and database files; call logs and phone contacts; Whatsapp messages and databases; pictures and videos; all of your text messages; and information on pretty much everything else that is on your phone (it will inventory the rest of the apps on your phone, for instance).

The app can also monitor your GPS location (so it knows exactly where you are), hijack your phone’s camera to take pictures, review your browser’s search history and bookmarks, and turn on the phone mic to record audio.

The app’s spying capabilities are triggered whenever the device receives new information. Researchers write that the RAT is constantly on the lookout for “any activity of interest, such as a phone call, to immediately record the conversation, collect the updated call log, and then upload the contents to the C&C server as an encrypted ZIP file.” After thieving your data, the app will subsequently erase evidence of its own activity, hiding what it has been doing.

This is a sophisticated piece of malware. It feels like the product of a national intelligence agency or—and I think more likely—one of the cyberweapons arms manufacturers that sells this kind of capability to governments around the world.

Tags: Android, cyberweapons, GPS, malware

Posted on March 30, 2021 at 10:00 AM • 22 Comments

Comments

lurker • March 30, 2021 1:01 PM

From Zimperium:

Upon installation (from a third party store, not Google Play Store),[…]

Genuine Android “Partners” or whatever they call them now, have always been able to supply updates for their systems. Yes, in the past such updates have been woefully absent, but in the last couple of years new models of big name Android handsets have had OTA updates. So this RAT must be aimed at a particular class of user who will happily use a “system update” not supplied by the device maker. Is it unkind to suggest they get what they deserve?

Weather • March 30, 2021 2:20 PM

@lurker
I would like to root my phone so I can remove stuff the vender put in, namely aptmanger.Facebook.com .
But you’re saying hackers have no morals?

Etienne • March 30, 2021 3:09 PM

I’d say that would be an Android EOL app.

I’ve been using my Voip phone around the house. As soon as I get home, I take the battery out of my cell phone. It then forwards from the cell provider..

Same when I get to work. They don’t let cell phones in the building, so I forward to my desk.

So, what’s the next thing after Android?

Clive Robinson • March 30, 2021 4:17 PM

@ Etienne, ALL,

So, what’s the next thing after Android?

Does it realy matter?

We know it will be the usual low grade consumer crap stuffed full of unwanted features and ways for either the hardware seller or OS supplier to steal more of your PII as despite you handing over money, they believr they are still the owner and you are just product to be milked/fleeced…

And because of that it will quickly be full of criminal malware from cyber-crooks or worse SigInt agencies or Saudi Prince type personal hit squads who delight in dismembering people with butchery tools, often before they are dead…

And people wonder why more and more people are investigating the “off grid” way of living.

Once such people were considered to be “loony two fruit paranoids”, now just a little more cautious than others…

And it’s our own “liberal” in the dictionary sense supppsadly democratic governments that have made us like this, not terrorists, tyrants, dictators, or despots…

I guess “What police state behaviour next?” could be the more objective question.

metaschima • March 30, 2021 8:26 PM

@lurker

Well, more precisely this app targets morons who have no idea how to update their rooted phone using an OTA. It most certainly does not come in the form of an app, but rather a zipped image file.

@Weather

Me too, but I am not going to do it because it greatly increases risk of getting malware on your phone. I have been able to disable almost all pre-installed apps on my Samsung.

lurker • March 30, 2021 10:09 PM

@Weather: no, I didn’t mean to say hackers have no morals. But there are some hackers with their wits about them who will know how to use an OTA update on a rooted phone. And there will be some who don’t know what’s inside some dodgy.apk, and those will get their come-uppance. As @metaschima says it’s possible to disable a lot of vendor crapware without rooting your phone. The hardest stuff to stop is what the Great G weaves tightly into the system (remember IE?) so even the device vendor can’t remove it on pain of death.

Winter • March 31, 2021 3:19 AM

@Lurker
“So this RAT must be aimed at a particular class of user who will happily use a “system update” not supplied by the device maker. ”

This RAT will be installed on phones without the user knowing it. Either by police/border control or by getting hands on the phone.

Also, it could be the payload for another type of malware or phishing attack.

David Leppik • March 31, 2021 3:36 PM

@metaschima:

It’s a poor physician who blames the patient. Many people—not all—have been told to avoid software from shady sites. They’ve also been told to floss their teeth every day and not drive aggressively. An attack of this sophistication would not just be placed on a shady website. There would be social engineering to make it seem to come from a trusted source.

Similarly, you would know not to get an injection from a random person in an alley. However, if someone claiming to be associated with your doctor’s clinic who knew your medical history called you and told to to go to a certain nondescript location that was described as an emergency COVID-19 vaccination center, there’s a good chance you’d go out of your way to get an injection from a stranger.

Jesse Thompson • March 31, 2021 4:26 PM

The broad range of data that this sneaky little bastard is capable of stealing is pretty horrifying.

I think the article misspelled the word “commonplace”.

Winston Smith • March 31, 2021 5:52 PM

@ Clive Robinson said:

“I guess “What police state behaviour next?” could be the more objective question.”

I’m as unfortunately cynical as this and have been since I started lurking around this site, gleaning useful info re: security opsec/theory and to protect myself. As Bruce has observed, “Trust is everything”, which is in very short supply now.

Although we can expect the “free” markets to push the limits of what is acceptable, state actors actively monitor privacy advocates along with the “criminals” because from their POV, demonstrating security and privacy precautions is suspicious behavior in the same vein as, “If you have nothing to hide, you needn’t be upset”:

https://www.wired.com/2014/07/nsa-targets-users-of-privacy-services/ (One of an obvious multitude of articles, take your pick)

So effectively, privacy advocates who support the spirit of the limitations placed on the USA Federal government by means of the 4th amendment are considered targets in their threat model. Very telling indeed. “Collect it all” is an existential threat along with backdoored encryption, and the “100 mile 4th Amendment-free Border Zone” (https://www.aclu.org/know-your-rights/border-zone/).

Let’s be realistic, this is not going to get any better before it gets worse. Baubles and distractions and Kim Kardashian’s new bikini keep average Joe from caring enough to force a change. Hmm. Rather, it’s likely that average Joe cares more about Kim K. than constitutional rights, so we get more Kim K.

Off the grid sounds nice. Maybe I need to spend more time on the gardening sites.

Weather • March 31, 2021 7:17 PM

@winston
Watched? How many were actor on? Sure they might send around some pravite eyes, but just because you smoke a bong or letter, they aren’t ,or unlikely to do anything.
Yes garden website would be good, you don’t want to be wired 24/7 😉

Anders • March 31, 2021 7:25 PM

@Clive

While off the grid is nice, it’s not always possible.
Another, more mild and neutral option is using old
trusted hardware.

Unfortunately this is not always possible. Javascript-only
websites sites, https-only websites etc. We are actually
doing it to us by ourselves. We arm our websites up to the
teeth to the latest TLS versions so that we are forced to
use latest hardware (with included backdoors) and latest software,
that is spyware. Firefox, that was once very nice and snappy
browser is now bloatware, with questionable privacy handling.
Etc. Etc. Etc. I have made this point here earlier, however
nothing has changed. Actually this blog should and must be
accessible even from some very old device capable only
plain text-mode browsing. We don’t need smilies and markdown
syntax and lord knows what other fancy stuff. In the end plain text
is all that counts and that’s what is important. You can’t hide
any exploit inside the plain ascii text.
But noone listens.
We can only blame ourselves that we are not protesting loud enough.

Anders • March 31, 2021 8:20 PM

@ALL

If someone would mirror this blog to
some old-school style text-only BBS
with telnet access, i’d be very, very happy.

snur-pele • April 1, 2021 4:18 AM

@all
I tried to look at that first link. It goes to a “zimperium” blog.
They do not have any “About”-page.
Their “Contact us” is completely javascript. (I do not do js)
It all triggers my alarms: Too secretive.

Are they for real? I have never heard of them.
There is a wikipedia entry. It looks pretty much like a company marketing thing.

Does anyone maintain a list of trustworthy security companies?

/best regards
(appoligies for mangled language!)

Clive Robinson • April 1, 2021 10:22 AM

@ Winston Smith, ALL,

I’m as unfortunately cynical as this and have been since I started lurking around this site, gleaning useful info re: security opsec/theory and to protect myself. As Bruce has observed, “Trust is everything”, which is in very short supply now.

The obvious question is “Unfortunate in who’s eyes?”.

As some of the long term readers and commenters here know I personally don’t do,

1, Secure apps.
2, Email
3, Javascript etc.
4, Cookies.

And have not done so for quite some time.

Also I’ve never done,

5, Social Media.

The reason is I realised just how insecure they were and could see where Governments were going especially those who claim to be democratic. Never trust any one who claims they are XXX they are almost certainly not telling the truth, either by wilfully lying, because they are deluding themselves or they lack knowledge.

Over the years I’ve warned people of the dangers like using AES on systems that are connected to communications networks. The dangers of assuming what is and is not a communications link in reality and many other things.

Some chose not just to listen but actually think about the world around them differently, they are the success. Others however chose to not reason but attack the messenger, including claiming I was paranoid, etc etc. Well here we are and mote and more people are begining to realise that I had reason to say what I did, and in some cases wished they had listened.

But there are still way way to many people not listening and whilst they think they msy never come to harm… They forget their behaviours result in harm comming to others.

As I’ve indicated I do not connect any of my computers to external networks, including the power network. Sounds a little over the top but then I’ve done some research into just what a Smart Meter can say about what is going on in your home, even if you do have Solar/wind etc generation, if they are not issolated –properly off grid– then they will sing out information to the Smart Meter which acts as an “Instrumentation Head” that can then send the information to a remote listening position.

So the only “Internet” I have is via a mobile phone, that I assume is “back doored” all the way to hell and back.

Which gives rise to some asking the obvious question,

Do you do secure communications?

Well the answer is a qualifird “yes”. I try and avoid having to do it thus I aleays act as though the world is “listening in”. But where I have to use secure comms I keep it entirely independent of other electronic communications like “mobile phones” or even Plain Old Telephone Systems (POTS aka Land line).

Further I do not have my security end point even close to my communications end point by quite a distance.

Because I assume that any communications will be intercepted even the Low Probability of Intercept(LPI) and Multiple Input Multiple Output(MIMO)[1] systems. How is not actually important just the fact it can be done should be what guides you. So if you can stand there with the plaintext in front of you then so can somebody else[2] who is not someone you can trust now or in the future even if they have been trustworthy in the past[3].

But speaking of “how” you always need to remember you are behind the curve of technology by quite some years. Think of what is easy today that was not even lrading edge research a decade ago. Also remember that academia have consistantly bern the better part of a decade behind things that have been openly discussed on this blog.

That means your “capabilities” whilst upto date or even leading edge in a limited number of cases are in general in real terms between 10 and 20 technical generations behind which is 15-30 years.

Thus most people need to adjust their thinking and consider not “What can be done” but “What do I know can not be done”… The only way to decide that is to ask the important qurstion,

“Do the laws of physics alow this?”

If the answer is yes, then at some point the technology will be created, then maybe someone will write it up as a scientific paper or as their PhD. Then a decade or so later it might be common place.

These days every one should ask themselves questions about their past behaviour. You might be sixty now going for that top Government or Corporate job… But fourty years ago did you smoke a joint, hang out with the wrong people, or do something technically criminal as a dare or because you did not care? Well thanks to “collect it all” those little secrets are now going to be known to others if they should chose to look.

And that’s the point, knowledge is a very long lever, you only have to find a suitable fulcrum and you can move the world in your chosen direction…

None of what I’ve said is new, some things especially sayings pre-date our use of electricity. The thing is most of us do not want to think about it thus we “sleepwalk into the trap set by others”. As we should all know by now Politics and Power are very dirty games where money dictates an entry bar way to high for all individualls, thus they have to trade favours to get into power, and taking prisoners is a cost that is a liability unless offset in some way such as being ransomed or in other ways profitably (ab)used.

If you are lucky you will never be in a position where someone will “use and abuse you” with your present or past, but luck is another word for “probability” and as some one way more (im)famous than I once put it,

“I’m a great believer in luck and I find the harder I work, the more I have of it.”

Security is something of a “Red Queens Race” you have to run just as hard as you can to stay relatively where you are…

[1] http://e-space.mmu.ac.uk/625409/

[2] Even if you have all the dirt in the world on someone, they will still betray you if some third party makes it in their interests to do so[3].

[3] “Human Trust” is a lot different to “Security Trust” and it mostly fails because people trust things to others that they should not. Unfortunately “Human Trust” is also the major cause of security failing. If we trusted less we would be more secure. Back many decades ago when wearing thr green I was told “Never leave ammunition for the enemy” well in life that should be “Never trust people with information that can hurt you because they will hurt you with it at some point”. Remember as they say in financial services adverts “Past performance is no indicator of future performance” or as I sometimes say “You are not a murderer untill you’ve killed someone, so do not assume you will not be their first kill”. Remember the old advice of “Three can keep a secret if the other two are dead”, that is take the attitude of “do not trust” any one or anything importantly including yourself.

Clive Robinson • April 1, 2021 1:24 PM

@ Anders, ALL,

While off the grid is nice, it’s not always possible. Another, more mild and neutral option is using old
trusted hardware.

I do both.

Being ICT off-grid is not of necessitythe same as Living off-grid.

What it means at the end of the day is controling the environment that you carry out your ICT activities.

Look at it this way, older laptops do not have WiFi or other communications unless you plug an appropriate card in them. If you are only running off of the battery in your sub basment “man cave” etc then providing no one has placed listening equipment in the cave, then you are not “emanating energy” thus potential information into the larger environment. Effectively you have a partial air-gap issolation.

The problem then is dealing with malware etc. If this old laptop is never connected to a network with the bandwidth to transfer illicit code then you are relatively safe.

However you probably know that such laptops are prior to this century and run Win95 or Win2k or earlier. They can be difficult to source let alone get spare parts for.

Most if not all computers these days with perhaps the exception for some “office machines” come with communications built into the motherboard. Worse they come with OS’s that insist you connect to the Internet so the OS owners can have your computer under their control to “ET phone home” to the mothership and spill it’s guts about your private life etc.

It’s why in the past I’ve talked about the “Two PC” solution one for work one for connectivity to the Internet etc. Pre 1995 machines have the advantage of not having either type of Flash ROM in them so malware can not be put into it to become persistant beyond hard drive and other “wipe-n-reinstall”. Anything after 1999 probably does have some form of Flash ROM in it somewhere, so if you ever connect it to a network, you can assume it will have been got at in some way.

If you are lucky enough to have mid 1990’s kit still functional it’s probably only good for a maximum of 4GByte of RAM so will have to run an old probably vulnerable OS and browser. If you do not do online finance or purchasing or questionable viewing that probably does not matter you can just reonstall the OS every month or so.

Alternatively is use a CD or DVD based OS from the front of a magazine or back of a book. These are real ROM disks that can not be over written thus recycling the power clears all malware.

However a word of caution most CD/DVD’s with an OS on these days are not technicaly ROMs thus unless you take care to “write them out” it would be possible for malware to be written to it. Likewise just say no to CD/DVD rewrite you are lraving a large hole open.

But there is the problem you note,

Unfortunately this is not always possible. Javascript-only websites sites, https-only websites etc.

I have a “no cookies, no javascript” policy, which in the case of many web sites is an advantage not a hinderance. As all of the crap advertising and most other nonsense including those stupid US “lets get around EU regulations by forcing you to click ‘I accept'” fails to happen. OK in the case of some they downgrade images to blurs but mostly what I’m after is textual based information so it does not matter, especially as a search on a block of text will often bring up another website with the same content including unblured images.

Something like 90% of Web traffic is down to having JavaScript enabled or similar idiocy in HTML5 which I think everyone should boycot as standard practice. So I find pages load six to twenty times faster, are advert free and so far as far as I can tell malware free from not having JavaScript enabled.

But as for,

We are actually
doing it to us by ourselves.

Not exactly, it’s more a case of “being done unto us without choice”. No user who knows anything about the way the on-line world works would have voted for HTML5, the specification was driven by certain corporate interests and all at the W3C and major browser developers real should hang their head in shame at their dishonesty.

I can not change it as an individual other than by boycoting and telling people, but at some point if enough people do the same things will change.

Sunny • April 15, 2021 6:13 PM

@Weather Android is a malicious RAT / botnet like all versions of windows and mac. First rooting your phone without self signed keys / custom devs keys leaves you without oem lock, which opens fastboot for installing as much backdoors as they like once they have physical access. if your hardware isnt allready (most likely) backdoored) one reason why android moved away from fde (full disk encryption) and using now fbe (file based encryption) while the system partition isnt encrypted at all which makes it very easy to push a rootkit over fastboot.
lineage is only good with oem lock otherwise use pixel devices (made by google) with graphene os or calyx os and hope their hardware has less backdoors than the Chinese manufacturers. At the end its all about trust which is based on believe and hope. Rooting is a first step, i mean leaving the user without root while a rootkit is in place cmon its like every other trash operating system. (linux obviously not mentioned
but even there 30%+ code submitted to linux comes from google, of course not the gnu part)

“but i use a secure password for encryption on my phone” – if needed it will be cloned by fastboot boot twrp , giving anyone adb root access dump the sde of your user data and than have fun while they multi vm bruteforce your device. i mean using a pin / pattern is just facepalm! every local police will be able to “hack” your self backdoored root recovery access and break into your system. of course they are even to dumb for that but at least interporl, nsa, mossad etc more than just capable of doing it. be warned. i just use a google phone because i cant hide from the nsa so what do they want they shall get it, with quite a struggle. just dont be a criminal than you can laugh about them wasting time looking into you. without being angry your earned useful dollars get burned by tax payed professionals for nothing.

many hackers have no ethic, they have moral and if they believe they have to / should do it, they will do it. become more rational is a good step forward.

Sunnyer • April 15, 2021 6:26 PM

@metaschima

trusting a manufacturers software. mlg get a mac / iphone as upgrade to be more trolled while feeling “secure” lol

@Anders you are right, beside the fact its not your job to cry until a better government is in place, be the change and use free and open source software as much as possible and even lock that up with ad blockers, sandboxes and hardened browser profiles.

waiting or just protesting is literally for looser who have no impact and never will have, hopefully these people get arrested for being retarded like that. provide better solutions and go your own way while being and role model for others. being an afraid person waiting for others to handle the situation shows the broken mindset of the western world. be the provider of solutions, not part of the problem.

Weather • April 16, 2021 8:08 AM

@sunny
Year it was a bad day weather wise, will look into file encryption instead of Fde.

Clive Robinson • April 16, 2021 12:21 PM

@ Weather,

will look into file encryption instead of Fde.

My advice is always use both, and ensure they use different crypto algorithms.

Oh and where possible, do not trust CPU hardware features like enclaves. The argument that they are secure is dubious. However they can if used properly provide an extra layer or three to the onion that an attacker has to work through.

Unless of course they find another “reach around” attack like RowHammer that could be used to access any location in system RAM irrespective of what it is being used for.

Oh and people should remember there are ways to add extra security to block ciphers in use (which is unavoidable on smart devices).

In essence most Fiestel Round ciphers can be split into two halves. The first is the actual rounds, the second is the key derivation function that produces the round sub keys from the actual encryption master key.

You do not need to store the master key after you have generated the round sub keys. Likewise you do not need to store the actual round sub keys only an encrypted form of them.

The simplest way to see this is by using “whitening” or similar where when you XOR them with a secret value before storing them in RAM. Then when you load the round sub key from memory to actually use it you XOR it with it’s secret value to get the real value in a register use it from there then overwrite or similar.

That way anyone getting at system RAM has a harder job. Obviously you can refine it further by turning the whitening proces into a stream cipher thus after loading the sub key into a register first decrypt it under one stream cipher offset, use it in the round then recipher it with a new stream cipher offset and put the result back in system RAM. That way the storage used for the sub-keys continuously evolves which can be desirable for other reasons as well.

Weather • April 16, 2021 2:42 PM

@clive
Thanks for that, I’m assuming that its hard to go from the round keys to the master key.
Aes has a 12-14 rounds ,does having any more make it exponential harder?

Clive Robinson • April 16, 2021 7:25 PM

@ Weather,

I’m assuming that its hard to go from the round keys to the master key.

That was the assumption before AES…

Aes has a 12-14 rounds ,does having any more make it exponential harder?

More rounds are generally to make the “work factor” harder to go backwards from ciphertext to plain text, and the round sub key computation is not as such considered in this. Because the assumption is the individual round keys are fully independent of each other as though obtained from a “random oracle”. In practice if you can work the “oneway functions” in the round subkey generation and Fiestel structure backwards then it would make adding extra rounds a minimal impediment to a cryptanalysis attack.

Thus a lot rests on the “oneway functions” which made quite a few people nervous about what is now AES during the competition.

System Update: New Android Malware

Comments

Leave a comment Cancel reply