Zscaler is warning Android users about a fake Google Chrome update that installs malware onto their devices. The malware steals information including browser data, banking details, call logs and SMS data which is then sent to a remote server.
As well as stealing data the malware identifies antivirus applications installed by the user and disables them. This means that unless the user is constantly monitoring their security logs they will not know that they have been infected. At present there is no safe way to remove the malware. Zscaler reports that the only way to remove the malware is by resetting the device to factory defaults leading to a complete loss of all data on the device.
Using domain name squatting to catch victims
The alert highlights the use of domain name squatting to catch users out. By using domain names that sound right to users not paying close attention to the full URL, the attackers are fooling them into downloading the malware. Although Zscaler has published a list of initial URLs it says that they have a very short life and are quickly replaced with others. As yet it hasn’t published any information on the Domain Name Generator (DNG) used by the hackers.
Malware demands admin privileges
Users are asked to download a file called Update_chrome.apk. Once executed it asks the user for administrative access. Its first task is to identify any antivirus on the device and according to Zscaler the code contains a line to show the malware actively trying to identify Kaspersky, ESET, Avast and Dr Web.
The installed app then begins to harvest data and send it back to the Command & Control (C&C) server. This starts with all call logs including missed calls and SMS messages. One of its strange behaviours is to terminate any calls from an unknown caller. For anyone suffering the daily round of PPI, Accident Help, Lottery Wins and other scam calls it seems that the malware authors share your pain.
At a more serious level the malware intercepts any attempt to open the Google Play Store. As soon as the user attempt to buy something they are presented with a fake page from the app which harvests the user details and all the credit card information. That data is sent to a user in Russia using a telephone numbers hard coded into the malware. This may mean that this phase of the attack is short lived as telcos should be able to block that number.
Updates to Chrome are provided by Google not by device manufacturers. Users should wait until they get an alert from the browser and then check that the URL they are being directed to is valid. With the latest Chrome 50 app released just 2 days ago and beginning to make its way onto Android there is a real need for users to be very aware of what they are downloading. If they are not careful this current attack will cause problems for a lot of users.