Bottom line: A rather nasty malicious Android app going by the name of "System Updates" has been discovered by security researchers from Zimperium. While it's not a cause for concern to regular users who rely on Google's Play Store for app installs and updates, those in the sideloading club should take note of this spyware, which presents itself as a system update but actually spends the time silently exfiltrating pretty much all user data to the attacker's server in an encrypted zip file without leaving a trace.
Installing apps from outside the Play Store is a risky venture but one that Android users often undertake if they want to downgrade/upgrade to a particular app version, bypass location restrictions, or keep in touch with their favorite app if it ever gets discontinued officially. The security risks, however, can be equally off-putting, which is why the toggle for sideloading apps is turned off by default.
Yet another case in point is a spyware app recently discovered by Zimperium researchers called "System Update" that instead of addressing the platform's most common user complaint (i.e., timely system updates), displays a fake "Searching for update" notification as it gets busy stealing user data in the background and uploading them to the attacker's server.
Zimperium's analysis of the malware code reveals that the app not only collects information from usual points of interest like call and SMS data, Whatsapp messages, location, clipboard, bookmarks, and browser history, but it can also completely take control of the victim's device to record audio clips as well as periodically take pictures.
The app has also been cleverly crafted to avoid high bandwidth use and raise user/system suspicion. It scans for documents less than 30MB in size and captures thumbnails of recent images and videos, organizes them into several folders inside its own private storage, and uploads their encrypted zip file to the attacker's server, followed by a deletion on local storage to remove any traces.
"It’s easily the most sophisticated we’ve seen,” said Zimperium CEO Shridhar Mittal, who believed that a lot of time and effort went into making this malicious app and that it was likely part of a targeted attack.