An Android Spyware disguised as games & utilities struck more than 100,000 victims in 196 countries before being taken out of Google Play. Detected as ANDROIDOS_MOBSTSPY & dubbed MobSTSPY, the malware initially grabbed attention when it was masqueraded as a called Flappy Birr Dog.

While it is common to find unarmed goods in third party app stores, MobSTSPY managed to infiltrate the authentic & reliable App Store i.e. Google Play with at least six different apps in 2018. These apps include:

• FlashLight,
• HZPermis Pro Arabe,
• Win7imulator,
• Win7Launcher, and
• Flappy Bird
• Flappy Birr Dog

These apps pose as legitimate & claim to be torches, games & tools for productivity. Some of these have seen 10,000 download from users around the world. Though malware invasion in devices is common, but what makes this case more interesting is the widespread distribution of its applications.

Among the countries where the malware is scattered include Poland, Mozambique, Thailand Iran, Mexico, Tanzania, Vietnam, Algeria,  Romania, Cambodia, Italy, Morocco, Malaysia, Kazakhstan, Germany, Iraq, Sri Lanka, Philippines, Argentina, Belarus, Saudi Arabia, the United Republic of Hungary & South Africa.

Threat Behavior of MobSTSPY

Unlike the undistinguished spyware, Mobstspy is scripted to embezzle wider range of data on the compromised devices. To evade detection and to build a strong base the malware after infiltration first detects the device’s network availability. It then reads and parses an XML configure file from its C&C (command and control server) hence registering the device.

It is observed that the malware leveraged Firebase Cloud Messaging (FCM) to communicate with the C&C server & depending on the command received it steals & transfers the data to the threat actors.

The threat behavior of Mobstspy can be categorized into two:

1. Information Stealer: The nasty android infection lines its pockets with important user data like user location, text messages, call logs, contact lists, clipboard items & instance  downloaded files on android devices. It also collects device information like its registered country, language used, package name, device manufacturer & so on to keep a track of devices for future social engineering attacks. The collected information is sent to C&C server via FCM.
2. Phishing Aspect: In addition to info-stealing capabilities, malware is scripted to steal credentials of prominent social networking sites by displaying phishing screen. For instance, forged Facebook and Google login screens are displayed to trick users to enter the credentials. When the user provides the username & password, it returns an unsuccessful login message, but the credentials have already been stolen.

The popularity of apps serves as an incentive for cyber-criminals to continue developing campaigns that use them to steal information or carry out other types of attacks.

Protecting the accounts with two-factor authentication feature is therefore deemed vital to avoid unforeseen circumstances.

Conclusion

Google’s ecosystem may be increasingly safe. Thanks to the constant improvements in Google’s implementation of device & software resources. However, this doesn’t imply that chances of downloading an infected app are nil. Irrespective of the stringent safety measures adopted, it is still possible for your phone to become infected with malicious software.

It’s not hard to tell if your device is infected with nasty system program.

• It might slow down.
• Unnecessary ads or pop-ups may flood the computer screen.
• It may crash unexpectedly.
• Unfamiliar icons show up on the screen.

Dodgy apps, often promising free work software, cheat codes, porn, new games or money are an increasingly common method of getting malware onto your mobile devices where they wreck havoc & steal data.

The vigilance of users is therefore deemed vital to defend devices against malware attack. Updating software and going through user reviews & star rating is of utmost importance before downloading any application.

Hits: 165