lolloj - Fotolia

How does Overseer spyware work on infected Android apps?

Spyware was found on infected Android apps, which were meant to convey embassy information and news, in the Google Play Store. Expert Michael Cobb explains how the spyware works.

Four Android apps that were meant for conveying embassy information and news for specific European countries were removed from the Google Play Store for containing Overseer spyware. The spyware collected data from devices, such as contacts, email and GPS data. How did the malicious components of the infected Android apps work, and how did it make its way into the Google Play Store?

At the beginning of 2016, the malicious app ZergHelper managed to slip past Apple's App Review process by using geolocation to hide its malicious activities from anyone located outside of China.

Now, researchers at the security firm Lookout Inc. have identified infected Android apps that target people travelling overseas. Lookout found the Overseer malware in four apps -- Embassy, European News, Russian News and a Russian-language app. The infected Android apps were downloaded 10,000 times via Google Play, but were removed immediately when Lookout notified Google of their findings.

The language and news apps had relatively few downloads, and the reviews for both appeared to be fake, but the Embassy app proved more popular, as it fronted as a search tool for travelers wanting to find the addresses of specific embassies in any geographic location.

Once an infected app was installed, the Overseer malware gathered a host of information from the compromised device, including details of the user's accounts and their contacts, including names, phone numbers, email addresses and number of times contacted, geolocation information, data about the device, including identification numbers and whether it's been rooted. This information was sent to the attacker's command-and-control (C&C) servers, and allowed the attacker to decide what type of additional malicious components or exploits to download to the device to extend the attack. 

The malicious components of these infected Android apps probably managed to avoid detection during Google's dynamic review process because they didn't run all the time, and they obfuscated communications with the C&C server. The malware only contacted the C&C servers every 15 minutes for instructions, so unless analysis took place exactly when instructions were being issued or carried out, nothing untoward would appear to have happened.

The C&C servers were located on Facebook's Parse Server hosted on Amazon Web Services, and traffic between them and the app was encrypted using HTTPS. Encrypted traffic to a popular and trusted cloud service would not look out of the ordinary, and many security monitoring tools would fail to flag it as suspicious.

Users should be reminded that enterprise security policies still apply when travelling abroad, and that extra care should be taken when using network-enabled devices, as employees are more likely to be the targets of espionage-driven attacks.

Geolocation-enabled malware appears to be a growing trend, so it may well be riskier downloading apps while abroad, as they may have been able to slip through regular store review checks. Hopefully, the major app stores will introduce additional geolocation-based checks into their review processes to prevent this type of obfuscation of malicious code from succeeding in the future.

Next Steps

Find out how Twitter accounts are being used as C&C servers to spread malware

Learn how companies can use mobile location-based services to improve customer interactions

Discover how geolocation can be used in business process management

FTC drops the hammer on SpyFone for privacy violations

Dig Deeper on Threats and vulnerabilities