New Malicious Malware Found on Google Play Store Apps

Cybersecurity researchers from Security Without Borders reportedly discovered malware on the Google Play Store. According to reports, the virus gathers user information and sends it over to an external server where still unknown individuals can access them.

The dangerous strain of malware was found on over 20 applications posted on the Google Play Store. Dubbed as Exodus, the spyware not only collects information, but can also root Android devices to enhance its spying features.

The security firm wrote in its report:

“We identified previously unknown spyware apps being successfully uploaded on Google Play Store multiple times over the course of over two years. These apps would remain available on the Play Store for months and would eventually be re-uploaded.”

Notorious Malware Disguised as Downloadable Apps

The researchers claimed that the notorious malware has two stages, Exodus One and Exodus Two. The first stage commences when an unsuspecting user downloads and installs the decoy application.

According to the report, the details of the applications are different, but they all share the same disguise: applications distributed by unknown operatators in Italy. The team explained:

“Often the app description on the Play Store would reference some SMS messages the targets would supposedly receive leading them to the Play Store page. All of the Play Store pages we identified and all of the decoys of the apps themselves are written in Italian.”

Exodus One’s purpose was to allegedly collect basic information about the device like its IMEI code and phone number. Then, the information will be sent to a Command & Control server where the Android device will be marked as a target of a new infection.

Executing Exodus Two

In the next step, a Zip archive will be returned to the device after the check-in performed during the first stage. The Zip file contains the primary payload mike.jar and other utility files that serve different functions. Exodus One will load and execute the Exodus Two payload mike.jar using the Android API DexClassLoader ().

“Similarly to another Android spyware made in Italy, originally discovered by Lukas Stefanko and later named Skygofree and analyzed in depth by Kaspersky Labs, Exodus also takes advantage of “protectedapps”, a feature in Huawei phones that allows to configure power-saving options for running applications. By manipulating a SQLite database, Exodus is able to keep itself running even when the screen goes off and the application would otherwise be suspended to reduce battery consumption.”

The security firm listed several data collection and exfiltration capabilities that Exodus has. This include:

Retrieve a list of installed applications.
Record surroundings using the built-in microphone in 3gp format.
Retrieve the browsing history and bookmarks from Chrome and SBrowser (the browser shipped with Samsung phones).
Extract events from the Calendar app.
Extract the calls log.
Record phone calls audio in 3gp format.
Take pictures with the embedded camera.
Collect information on surrounding cellular towers (BTS).
Extract the address book.
Extract the contacts list from the Facebook app.
Extract logs from Facebook Messenger conversations.
Take a screenshot of any app in the foreground.
Extract information on pictures from the Gallery.
Extract information from the Gmail app.
Dump data from the IMO messenger app.
Extract call logs, contacts, and messages from the Skype app.
Retrieve all SMS messages.
Extract messages and the encryption key from the Telegram app.
Dump data from the Viber messenger app.
Extract logs from WhatsApp.
Retrieve media exchanged through WhatsApp.
Extract the Wi-Fi network’s password.
Extract data from the WeChat app.
Extract current GPS coordinates of the phone.

As per Security Without Borders, recently updated Android devices are already immune to the notorious malware. Google has also removed the majority of the applications reported to contain the Exodus spyware in it.