The spyware harvested user and device data from infected Android smartphones
Google has removed four apps on its Android Play Store, which were found to be infected with spyware capable of stealing device and user data.
The infected apps were spotted by security researchers from Lookout, which found a piece of spyware, dubbed Overseer, lurking behind the apps.
The spyware is capable of harvesting a user’s name, phone number, email and contact history, as a host of data from the smartphone, including its location area code, the version of Android it is running, its user build and whether the device has been rooted.
Lookout noted that the spyware is particularly interesting as it appears to have been used to target foreign travelers, noting that Overseer was found in one app aimed at guiding travelers to their nation’s embassy when abroad, and in a Russian and European news app.
The researchers also pointed out the spyware was communicating with a control and command centre using Facebook’s open source Parse Server based on the Amazon Web Services cloud. By using HTTPS and a server based in the US, Lookout noted that the data flowing from the apps to the command centre appear legitimate, making it less likely to be blocked and investigated.
“Devices infected with Overseer periodically beacon to the api.parse.com domain, checking whether there are any outstanding commands the attacker wants to run,” Lookout said, explaining how the spyware removed data from the infected devices.
“Depending on the response, the malware is capable of exfiltrating a significant amount of information from an infected device. These communications are all encrypted over the wire, which hides the traffic from network security solutions.”
When Lookout notified Google of the threats, the search company rapidly removed the apps.
Mobile malware is a growing threat, as evidenced by the 85 million Android devices infected by the HummingBad malware. And Android malware seems to be adept at mimicking legitimate apps, such as WhatsApp and Uber.