Location tracking spyware has been discovered after three years in Google’s Play Store.
A security company called Zscaler recently revealed that a piece of spyware has been sitting in the Google Play Store since 2014, and it’s capable of tracking a user’s location and sending that data to potential attackers. The spyware, called SMSVova, pretends to be a system update in the Play Store and has reportedly been downloaded between 1 million, and 5 million times in the three years since its creation.
The app claims to give the user access to the latest updates for Android OS, though the app description only vaguely explains that it “updates and enables special location”. Researchers at Zscaler first became suspicious of the app when they noticed a large number of negative reviews complaining that the app doesn’t update Android OS, drains the battery and makes the phone run slowly. A lack of screenshots and poor description of the app’s purpose lead the researchers to take an even closer look.
What the app actually does, is compromise the security of anyone who downloads it by sending location information to a third party. Once downloaded and run, the user will be shown a window saying “Unfortunately, Update Service has stopped”. This is only meant to mislead you, and in reality, the app is running just fine and hiding its run icon from the user’s screen. The spyware then sets up a service called MyLocationService, which collects location data and modifies the device’s data accessing interface.
The spyware also installs an IncomingSMS receiver which reads and interprets incoming texts. If an attacker for example, sends “get faq”, the spyware will read and interpret that message, and send further commands to continue the attack, or password lock the app. The Zscaler researchers believe that the reliance on SMS to set up the spyware is one reason why it has avoided detection for so long.
It is unknown who is behind the spyware, and why they would be interested in location data for a large number of regular users. The app hasn’t been updated since December 2014, though this doesn’t necessarily mean the app is dead. One noteworthy point is that the app seems to share code with the DroidJack trojan, suggesting that the same people are responsible for both pieces of software.
The spyware has now been removed from the Play Store, but it isn’t the first time something like this has managed to sneak past Google’s defenses. Perhaps that isn’t too surprising, considering the huge software library and 1.4 billion user base. It is cause however, to reiterate the advice we always hear after news like this – be vigilant, and be weary of downloading software that seems sketchy, has bad reviews, or for some other reason is giving off weird vibes.