Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Threat Management, Threat Intelligence, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

SMSVova spyware downloaded millions of times from Google Play store since 2014

A spyware program disguised as an app that dispenses Android updates was downloaded between 1 and 5 million times before being pulled from Google's official U.S. Play Store, according to researchers at Zscaler.

The malware, called SMSVova, is capable of pinpointing a user's exact geolocation and then sending that data to an attacker, the Internet security company reported in a blog post on Wednesday. On the Play Store, the app was titled "System Update," suggesting that users who download it would receive the latest Android release.

However, upon installing and opening SMSVova, the app immediately quits, delivering the following message: "Unfortunately, Update Service has stopped." The app then hides itself from the main screen.

At this point, the app enables a MyLocationService feature that tracks a user's last known location. It also scans for SMS message commands, which the attacker sends in order to adjust malware settings and ultimately request a user's device location. The attacker can even specifically ask to receive a location alert when the victim's battery is running low.

The blog post does not specify the exact motive behind the spyware, stating only that the geo-tracking feature could be used "for any number of malicious reasons. In an email interview with SC Media, Zscaler senior director of security research and operations Deepen Desai elaborated further: "The end game could vary, including delivering malicious ads to cause further infections, spying, or even being used for legitimate localized ads per the user's location and invading privacy," said Desai.

Zscaler also noted that the Remote Access Trojan DroidJack leverages the exact same code for capturing a victim's location that SMSVova uses. It is unclear which malware stole borrowed from the other, although Desai said it is "more likely" that DroidJack copied the code from SMSVova.

Observant Android users may have noticed certain clues that that app wasn't legit. For instance, the Google Play Store page featuring this app showed blank screenshots, and there was no proper description for the program. Also, the app was a frequent recipient of poor ratings and scathing reviews. Still, the malicious spyware managed to stay under the radar on the Play Store since 2014, before Google finally removed it following a private disclosure from Zscaler.

"This app made it to [the] Play Store in 2014. Google's app vetting process has improved tremendously over the years, but we are unsure if existing and older apps are vetted on an ongoing basis. This would be a heavy task given the size of these play stores," said Desai.

At the time of analysis, not a single antivirus engine available via VirusTotal detected the app as malware. In the blog post, Zscaler theorized that this primarily could be due to SMSVova's "SMS-based behavior and exception generation at the initial stage of startup."

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.