The Android spyware program SMSVova is capable of pinpointing a user's exact geolocation and then sending that data to an attacker.
The Android spyware program SMSVova is capable of pinpointing a user's exact geolocation and then sending that data to an attacker.

A spyware program disguised as an app that dispenses Android updates was downloaded between 1 and 5 million times before being pulled from Google's official U.S. Play Store, according to researchers at Zscaler.

The malware, called SMSVova, is capable of pinpointing a user's exact geolocation and then sending that data to an attacker, the Internet security company reported in a blog post on Wednesday. On the Play Store, the app was titled "System Update," suggesting that users who download it would receive the latest Android release.

However, upon installing and opening SMSVova, the app immediately quits, delivering the following message: "Unfortunately, Update Service has stopped." The app then hides itself from the main screen.

At this point, the app enables a MyLocationService feature that tracks a user's last known location. It also scans for SMS message commands, which the attacker sends in order to adjust malware settings and ultimately request a user's device location. The attacker can even specifically ask to receive a location alert when the victim's battery is running low.

The blog post does not specify the exact motive behind the spyware, stating only that the geo-tracking feature could be used "for any number of malicious reasons. In an email interview with SC Media, Zscaler senior director of security research and operations Deepen Desai elaborated further: "The end game could vary, including delivering malicious ads to cause further infections, spying, or even being used for legitimate localized ads per the user's location and invading privacy," said Desai.

Zscaler also noted that the Remote Access Trojan DroidJack leverages the exact same code for capturing a victim's location that SMSVova uses. It is unclear which malware stole borrowed from the other, although Desai said it is "more likely" that DroidJack copied the code from SMSVova.

Observant Android users may have noticed certain clues that that app wasn't legit. For instance, the Google Play Store page featuring this app showed blank screenshots, and there was no proper description for the program. Also, the app was a frequent recipient of poor ratings and scathing reviews. Still, the malicious spyware managed to stay under the radar on the Play Store since 2014, before Google finally removed it following a private disclosure from Zscaler.

"This app made it to [the] Play Store in 2014. Google's app vetting process has improved tremendously over the years, but we are unsure if existing and older apps are vetted on an ongoing basis. This would be a heavy task given the size of these play stores," said Desai.

At the time of analysis, not a single antivirus engine available via VirusTotal detected the app as malware. In the blog post, Zscaler theorized that this primarily could be due to SMSVova's "SMS-based behavior and exception generation at the initial stage of startup."