A banking and personal information stealing mobile malware posing as a Google Chrome update for Android, and which can’t be removed from the infected device, has been spotted in the wild by cybersecurity researchers.
The infostealer malware – discovered by the Zscaler ThreatLabZ research team – is capable of harvesting banking information, call logs, SMS data and browser history which are all sent to a remote command-and-control server.
Rather than being served by one URL, the malware squats on multiple domains which are similar to existing Google updates. Each URL is only active for a short amount of time, with the addresses serving the malware regularly updated and replaced in order to ensure it avoids detection.
Users who download the fake Android application package – titled “Update_chrome.apk” – are prompted to allow the malware to gain administrative access to their phone and in doing so, unwittingly infect their device.
According to Deepen Desai, Director of Security Research at Zscaler, users are often tricked into installing the malware the fake Chrome update will tell them they’ve been comporomised by a non-existent virus.
Once installed, the malware checks for installed security applications which are supposed to provide protection and prevents them from working correctly. In their report on the malware, Zscaler researchers write that antivirus applications like Kaspersky, ESET, Avast and Dr. Web can all be terminated by the infostealer.
With the malware now free to do as it pleases on the infected devices, text messages and call logs are monitored, with all outgoing, received and missed communications logged and sent to a command-and-control server.
If payment information is entered, the malware takes a screenshot and sends it to a Russian phone number. Once installed on a device, the infostealer can’t be removed because the malware refuses to allow the user to remove administrative access. The only way to remove the infection is to return the device to factory settings – an option which causes all data stored on the phone to be lost.