System Update app on the Google Play Store

An Android app named "System Update" that secretly contained a spyware family named SMSVova, survived on the official Google Play Store for at least three years, since 2014, when it was updated the last time.

Google intervened this week, after a report from mobile security firm Zscaler, but by the time Google took it down, between one and five million users had already installed it on their phones.

This happened even if the app's Play Store page looked extremely suspicious, as it featured blank white screenshots and one sentence as its description, reading: "This application updates and enables special location features."

User reviews left on the Play Store page also reflected the app's shady behavior, with Android users complaining the app didn't update their system as promised but simplify disappeared from their screen after they ran it the first time.

New SMSVova spyware was hidden inside the app's code

According to Zscaler researcher Shivang Desai, who analyzed the app's source code in a technical write-up here, the System Update app didn't contain any "system updating" features, but only spyware-like behavior.

Desai says the malware found within, which he named SMSVova, included functionality that set up an Android service and a broadcast receiver.

The Android service worked by taking the user's last known geo-location coordinates and saving this information inside "Shared Preferences," a storage space where Android usually gathers application data.

Spyware was controlled via SMS messages

On the other hand, the Android broadcast receiver is where most of the malicious code was. According to Desai, this receiver listened to incoming SMS messages containing the string "vova-" or "get faq".

An attacker sending an SMS with the "get faq" command to an infected host would receive back another SMS with a list of commands he could execute.

New commands could then be sent in new SMS messages by prefixing the instructions with "vova-", as: vova-set user password:'newpassword'

Some of the commands supported by SMSVova

The app included support for commands that reported the user's current location and changed the device's password.

The researcher wasn't able to determine why SMSVova would be collecting only geo-location information from users, but this could have been "used for any number of malicious reasons," Desai said.

SMSVova could be an early version of the DroidJack RAT

Furthermore, the researcher also discovered that SMSVova had the same code structure as a small section of the DroidJack RAT, one of the most well-known commercial Android remote access trojans on the market.

Comparisson between the SMSVova and DroidJack RAT source code

Taking into account that the System Update app didn't receive any update since December 2014, along with its similarity with DroidJack, this may very well be one of the first attempts to get the DroidJack RAT, or at least some part of it, past Google's security filters and on the Play Store.

The DroidJack RAT appeared on hacking forums in June 2014 and was based on the legitimate Sandroid remote administration app, still available today on the Google Play Store.

Images credit: Zscaler