Fake app hiding a SMSVova spyware went undetected for years in the Google Play Stores

Share this…

Millions of users looking to get software updates have downloaded an app hiding a spyware called SMSVova through the official Google Play store.

Bad news for millions of Android users looking to get software updates, they have been tricked into downloading a spyware called SMSVova through the official Google Play store.

Experts at Zscaler discovered that the bogus app was posing as a legitimate application called “System Update” and claiming to provide users with access to the latest Android software release.

SMSVova spyware

It has been estimated that the fake application hiding the SMSVova spyware was uploaded in the Google Play in 2014, and has been downloaded between 1,000,000 and 5,000,000 times.

Experts reported the discovery to Google that promptly removed it from the store.

The SMSVova spyware was developed to track the physical location of the users, it was controlled by attackers via SMS messages.

“In our ongoing effort to hunt malware, the Zscaler ThreatLabz team came across a highly suspicious app on the U.S. Google Play Store that has been downloaded between one and five million times since 2014.” reads theanalysis published Zscaler. “Upon analysis, we found it to be an SMS-based Spyware, which can steal and relay a victim’s location to an attacker in real time.”

According to Zscaler, once the app was installed when users try to open it they were displayed the message:

‘Unfortunately, Update Service has stopped.’

SMSVova spyware 2

then the app hides itself from the main screen and launches the phone’s MyLocationService which collect location data and stores it in the Shared Preferences directory of the mobile device.

Despite the error message, the spyware sets up an Android service and broadcast receiver:

  • MyLocationService: Fetches last known location
  • IncomingSMS (Receiver): Scans for incoming SMS message

SMSVova monitors specific incoming SMS messages with specific characteristics, messages with more than 23 characters in length and that contain the text string “vova-” and “get faq.”

“Once the spyware has been installed on the victim’s device, an attacker can send an SMS message ‘get faq’ and this spyware will respond with a set of commands,” according to Zscaler.

The SMSVova spyware implements other commands, including “changing current password” and “setting low battery notification.” According to Desai, those behind the spyware use the SMS commands in order to instruct SMSVova to retrieve and text back location data. The “setting low battery notification” message is used to instruct the phone to text location data when the battery runs low.

It’s still a mystery why threat actor behind the spyware is collecting location data.

It is interesting to note that the SMS-based behavior and exception generation at the initial stage of the startup weren’t detected by the antivirus engines on VirusTotal.

Authors of the SMSVova spyware have designed the threat to evade detection by antivirus solutions and Google Play’s malware detector. The app was last updated in December 2014, at that time the controls implemented by Google weren’t so stringent, anyway the malicious code eluded Google detector for years.

It is curious to note that according to the recent Google Android Security 2016 Year In Review report, in 2016 devices that installed applications only from Google Play had fewer than 0.05 percent of potentially harmful applications installed.

“There are many apps on the Google Play store that act as a spyware; for example, those that spy on the SMS messages of one’s spouse or fetch the location of children for concerned parents. But those apps explicitly state their purpose, which is not the case with the app we analyzed for this report,” concluded the analysis.