A new malware, dubbed MobSTSPY, stole data from 100,000 Android users in 196 countries. According to Trend Micro, one of the most important cybersecurity firms in Japan, cybercriminals were able to access access credentials to accounts, locations, files and communication records. Even more worrying, the program infiltrated Google Play to reach as many devices as possible.
They used several free applications, including a clone of the popular Flappy Bird and emulators. Experts have not determined if the apps included malicious code when they were uploaded to the store, but most likely injected by updates. In any case, they circumvented Google’s security protocols to distribute the malware.
When installed, MobSTSPY checks the connection of the terminal to communicate with the server that extracts the data. It is possible to obtain information from the infected device, including its country of registration and the manufacturer. Attackers can steal SMS or WhatsApp messages, contact list, screenshots or audio recordings.
Another of its capabilities is to initiate phishing attacks within the device, since it can display pop-ups on all types of websites. They deceive victims by indicating that they need to log in to Facebook or Google, thus stealing access credentials. Among the territories affected by this situation are the United States, Europe, the Middle East and East Asia.
At the moment there is no information about responsible hackers, but everything indicates that they operate from India and nearby regions. Fortunately, Google has already eliminated the apps involved in the attack, namely Flappy Birr Dog, FlashLight, HZPermis Pro Arabe, Win7imulator and Win7 Launcher.
Bharat Mistry, security strategist at Trend Micro, told the ZDNet portal that “Google imposes stricter checks for new apps.” However, they do not pay as much attention in updates of the same, because the “level of verification is reduced” when in the beginning they showed their reliability. “Once the application has gained some credibility and has a good distribution among users, the developer of the app can publish an update that enables malicious functions,” concluded Mistry.