Our Smartphone’s Are Spying on Us: When 21st Century Folklore Turns Real

Recently, we discussed one of the latest urban myths in, “Our Smartphone’s Are Spying on Us: Folklore in the 21st Century,” and evaluated the popular theory that “Big Tech,” e.g. Facebook, Google, Samsung, Amazon, and Apple, are using our phones to spy on us. The short answer is a resounding “not a chance.” They have too much to lose and we give them more information about ourselves than they can handle just by using their apps, search engines, or social media platforms.

Here’s the other side of this argument. Big tech may not need to spy on us, but there’s a host of other people who really, really, want to, and they’re using our smartphones to gather all kinds of data that isn’t always related to advertising. They develop malicious apps designed to turn your phone into a treasure trove of supposedly “secure” information. Oftentimes, these programs aren’t well made. They’re fairly easy to detect and remove before causing any harm. The apps designed by a developer with some talent and a crafty mind, however, are harder to spot and a few of this breed aren’t “malicious,” they’re downright mean.

The good news is this: malicious apps rarely last for long on Google Play. Between Google’s security checks, outside cyber security firms, and user reviews, the Play Store is monitored reasonably well, and considering android’s open sourced design, that’s no mean feat. The downside is most malicious apps are available until their nefarious activity is discovered and reported. Does that typically take long? No, but it’s often long enough to cause some damage, and the better an app is at hiding its nature and functions, the longer they can last.

We’ll look three types of malicious apps that made their way onto Google Play over the last year and examine how they camouflage themselves as well as their priority function.

TsSdk, One of the Most Widespread Forms of Malware

In April of 2019, researchers from Check Point uncovered a total of six apps laden with the PreAMo ad fraud malware on Google Play, and what made this incident so notable was the number of downloads recorded prior to this discovery. Over 90 million users installed these apps before Check Point unearthed their malicious nature, and Google yanked them from their Play Store.

The Avast’s cybersecurity team published a report soon afterwards, showing how these apps were linked to each other through third-party libraries that “bypass the background service restrictions present in newer Android versions.” The researchers added, “Although the bypassing itself is not explicitly forbidden on the Play Store, Avast detects it as Android:Agent-SEB [PUP], because apps using these libraries waste the user’s battery and make the device slower,” the researchers say. “The applications use the libraries to continuously display more and more ads to the user, going against Play Store rules.”

Known as TsSdk, the app displays full-blown ads to users, and in some cases, will also attempt to lure viewers to install additional adware-laden applications. Two versions of the malware were found, and the older of the two, which was installed roughly 3.6 million times, was buried in apps offering simple games, photo editing, and fitness systems.

Once installed, these apps appeared legitimate, but dropped shortcuts to unwanted pages or services on the Android home screen, one, for example, added a “Game Center” shortcut which opened up a page advertising gaming software.

Newer versions of TsSdk have been discovered in music and fitness apps, and users have installed these almost 28 million times. The malicious code is revamped and encrypted, only triggers when a victim clicks on a Facebook ad. This is most likely a way for the code to lengthen the time it can remain on a host device without detection.

Malicious Android Apps That Activate Only When You Move Your Smartphone

Yeah, ok. Kudos for inventiveness, guys.

Last year, the cybersecurity team from Trend Micro identified two apps containing the Anubis banking Trojan and reported how these apps used a device’s motion sensor to both trigger the malware and avoid detection. These apps were disguised as utility software, a currency converter and power saver named Currency Converter and BatterySaverMobi, respectively.

These two apps monitor a victim’s motion sensor, and when users move their phone, and the programs analyze the information. If the data meets “movement” criteria, such as walking or consistent motion, they’ll deploy Anubis.

If no motion is detected, or the movement doesn’t meet their criteria, the programs remain inert as the lack of motion could indicate the device is in an emulator or sandbox environment – one where the malicious code could be picked apart by researchers. Ergo, the app will not deploy its malicious payload if there is no movement.

If motion is detected, the malicious apps activate, and attempt to trick the user into downloading and installing the Anubis Trojan by way of an APK and fake system update message. If the user falls prey to this scam, a built-in keylogger records keystrokes, malware takes covert screenshots, and both are used to steal banking credentials.

The software doesn’t stop there, of course. The malware also gains access to contact lists, location data, gains the capability to record audio, send texts, make calls, and tamper with external storage.

The Sidewinder Hackers Who “Destroy” Your Phone Once They’ve Looted Your Data and Passwords

One of the most recent alerts is most likely the work of the hacking group, Sidewinder. On February 7, 2020, the security firm Trend Micro discovered optimizer and utility apps in the Google Play Store capable of loading up to 3,000 variants of malware on an infected phone. Almost half a million people installed these apps before Google removed them from the Play Store, and the company warned that numerous devices had yet to remove these apps.

One of the more curious functions of this malware is its ability to use infected device to post positive reviews for the malicious apps. Compared to the rest of this malware’s sophistication, however, this function’s a bit on the weak side. A screenshot captured from one of the apps shows how it posted positive comments from different users but used the same text for each review. Not exactly subtle.

The 3,000 variants of malware or malicious payloads disguise themselves as system applications, and no icons appear on the launcher or in the device’s app list. Thus, a user may not realize their phone’s infected, and when they do figure it out, uninstalling the app can be a bit difficult as the software tricks users into enabling specific permissions to protect itself while disabling Google Play’s Protect which scans for malware on Google Play Store apps.

Another report, this one from Cofense (via ArsTechnica) reveals that unaware Android users are downloading apps containing malware Anibus. Once installed, hackers send send out attachments resembling invoices. They’re actually APKs, and users who download the fake invoices and allow their phones to sideload apps will see fake Google Protect messages asking for two privileges; the latter disables Google Play Protect and agrees to 19 permissions. The malware then scans an infected device looking to see if it has any of 263 banking and financial apps installed. If one of these apps is loaded on a phone, when the user opens it a fake log-in page is displayed allowing the attackers to steal the passwords for these apps.

Once the attacker is done with the infected phone, he can remotely “destroy it.” A researcher with security firm Cofense wrote, “For example, once the attacker has harvested and exploited all the credentials, contacts, emails, messages, sensitive photos, etc., they might choose to encrypt the phone for a ransom or simply destroy the phone out of malice.”