This data-stealing Android malware infiltrated the Google Play Store, infecting users in 196 countries

At least 100,000 people downloaded apps distributing MobSTSPY malware, which also leverages a phishing attack to steal account credentials from victims.
Written by Danny Palmer, Senior Writer

Powerful Android malware capable of snooping on user location, communications logs, and stealing files and account credentials has been downloaded by at least 100,000 users around the world after successfully infiltrating the Google Play app store.

Several applications uploaded to Google Play with the intention of distributing MobSTSPY malware have been detected by researchers at Trend Micro. The malware-laden apps include games -- most prominently, a malicious version of Flappy Bird and a clone featuring a dog called Flappy Birr Dog --- as well as more general-purpose applications including a Flashlight and emulators.

It's possible that the apps were initially uploaded to the store without active malicious code, only for the infrastructure for conducting attacks to be added at a later date. This could have been months later, after the apps had been downloaded by large numbers of users.

"Usually Google enforce more stringent checks for new apps, but as updates are made to the app over time and they are proven not to be malicious from the offset, the level of checking may be reduced," Bharat Mistry, principal security strategist at Trend Micro, told ZDNet.

"Once the app has gained some credibility and has a good distribution of users, the app developer will then issue an update which enables the malicious features"


One of the malicious apps used to distributed malware in the Google Play store.

Image: Trend Micro

Following installation, MobSTSPY checks for the device's network availability, before connecting to a command and control server and collecting information about the device, including its registered country, package name and manufacturer.

A number of malicious activities can be conducted, depending on the commands issued by the attackers. These include stealing SMS messages, contact lists and a variety of files, such as screenshots, audio recordings, and WhatsApp data.

In addition to directly stealing files from the compromised Android device, MobSTSPY can gather additional credentials by conducting phishing attacks. The malware displays fake pop-ups from popular websites like Facebook and Google, asking the user to login to their account. The fake pop-up tells the user their login wasn't successful and disappears, having achieved its goal of stealing their username and password.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Ultimately victims of the malware can have large amounts of their personal data stolen by attackers, putting their privacy at risk and leaving them open to additional attacks -- especially if the information is exchanged on underground marketplaces.

Researchers note that the malware has been widely distributed, with victims in 196 countries worldwide, ranging from the United States, across Europe and the Middle East and all the way to East Asia. However, almost a third of victims are in India, which could point to clues about the whereabouts of the attackers.

"Looking at the countries affected the most, it looks like the cyber criminals are operating in and around the Indian subcontinent. They are more than just 'script kiddies', but aren't as advanced or adventurous as nation states trying to see what they can get away with," said Mistry.

All of the malicious apps -- Flappy Birr Dog, Flappy Bird, FlashLight, HZPermis Pro Arabe, Win7imulatorand Win7Launcher -- have now been removed from Google Play. 

When asked how the company is looking to ensure malware doesn't infiltrate its official store, a Google spokesperson told ZDNet that: "We remove applications that violate our policies, such as apps that are illegal."

While the apps can no longer be downloaded, hundreds of thousands of users may still unwittingly be infected. Trend Micro has published Indicators of Compromise to help identify the malicious apps, and users are told to remove the apps as soon as possible.


Editorial standards