A banking and personal information stealing mobile malware posing as a Google Chrome update for Android, and which can't be removed from the infected device, has been spotted in the wild by cybersecurity researchers.
The infostealer malware - discovered by the Zscaler ThreatLabZ research team - is capable of harvesting banking information, call logs, SMS data and browser history which are all sent to a remote command-and-control server.
Rather than being served by one URL, the malware squats on multiple domains which are similar to existing Google updates. Each URL is only active for a short amount of time, with the addresses serving the malware regularly updated and replaced in order to ensure it avoids detection. Users who download the fake Android application package - titled "Update_chrome.apk" - are prompted to allow the malware to gain administrative access to their phone and in doing so, unwittingly infect their device.
According to Deepen Desai, Director of Security Research at Zscaler, users are often tricked into installing the malware the fake Chrome update will tell them they've been comporomised by a non-existent virus.
"The malware may arrive from compromised or malicious websites using scareware tactics or social engineering. One common theme we have seen in recent malicious android application packages involves scareware tactics where the user will see a popup indicating that their device is infected with a virus and asks them to update to clean up infection," he told.
Once installed, the malware checks for installed security applications which are supposed to provide protection and prevents them from working correctly. In their report on the malware, Zscaler researchers write that antivirus applications like Kaspersky, ESET, Avast and Dr. Web can all be terminated by the infostealer.
With the malware now free to do as it pleases on the infected devices, text messages and call logs are monitored, with all outgoing, received and missed communications logged and sent to a command-and-control server. Not only that, but the malware is capable of creating an authentic looking fake payment page - to take all major credit cards - in the Google Play store.
If payment information is entered, the malware takes a screenshot and sends it to a Russian phone number. Once installed on a device, the infostealer can't be removed because the malware refuses to allow the user to remove administrative access. The only way to remove the infection is to return the device to factory settings - an option which causes all data stored on the phone to be lost.
