{
	"id": "594c9d51-7253-4866-9364-62ce9ca1fcb6",
	"created_at": "2026-04-06T00:15:16.591581Z",
	"updated_at": "2026-04-10T03:30:32.767276Z",
	"deleted_at": null,
	"sha1_hash": "9a2f7a7d4613d77dcd8c9cce43ec6b17c5273818",
	"title": "New Advanced Android Malware Posing as “System Update\" - Zimperium",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3833972,
	"plain_text": "New Advanced Android Malware Posing as “System Update\" -\r\nZimperium\r\nBy Aazim Yaswant\r\nPublished: 2021-03-26 · Archived: 2026-04-05 13:43:08 UTC\r\nAnother week, and another major mobile security risk. A few weeks ago, Zimperium zLabs researchers disclosed\r\nunsecured cloud configurations exposing information in thousands of legitimate iOS and Android apps (you can\r\nread more about it in our blog). This week, zLabs is warning Android users about a sophisticated new malicious\r\napp.\r\nThe “System Update” app was identified by zLabs researchers who noticed an Android application being detected\r\nby the z9 malware engine powering zIPS on-device detection. Following an investigation, we discovered it to be a\r\nsophisticated spyware campaign with complex capabilities. We also confirmed with Google that the app was not\r\nand has never been on Google Play.\r\nIn this blog, we will:\r\nCover the capabilities of the spyware;\r\nDiscuss the techniques used to collect and store data; and\r\nShow the communication with the C\u0026C server to exfiltrate stolen data.\r\nWhat can the malware do?\r\nThe mobile application poses a threat to Android devices by functioning as a Remote Access Trojan (RAT) that\r\nreceives and executes commands to collect and exfiltrate a wide range of data and perform a wide range of\r\nmalicious actions, such as:\r\nStealing instant messenger messages;\r\nStealing instant messenger database files (if root is available);\r\nInspecting the default browser’s bookmarks and searches;\r\nInspecting the bookmark and search history from Google Chrome, Mozilla Firefox, and Samsung Internet\r\nBrowser;\r\nSearching for files with specific extensions (including .pdf, .doc, .docx, and .xls, .xlsx);\r\nInspecting the clipboard data;\r\nInspecting the content of the notifications;\r\nRecording audio;\r\nRecording phone calls;\r\nPeriodically take pictures (either through the front or back cameras);\r\nListing of the installed applications; \r\nStealing images and videos;\r\nMonitoring the GPS location;\r\nhttps://www.zimperium.com/blog/new-advanced-android-malware-posing-as-system-update/\r\nPage 1 of 9\n\nStealing SMS messages;\r\nStealing phone contacts;\r\nStealing call logs;\r\nExfiltrating device information (e.g., installed applications, device name, storage stats); and\r\nConcealing its presence by hiding the icon from the device’s drawer/menu.\r\nHow does the malware work?\r\nUpon installation (from a third party store, not Google Play Store), the device gets registered with the Firebase\r\nCommand and Control (C\u0026C) with details such as the presence or absence of WhatsApp, battery percentage,\r\nstorage stats, the token received from the Firebase messaging service, and the type of internet connection. \r\nOptions to update the mentioned device information exist as “update” and “refreshAllData,” the difference being,\r\nin “update,” the device information alone is being collected and sent to C\u0026C, whereas in “refreshAllData,” a new\r\nFirebase token is also generated and exfiltrated. \r\nThe spyware’s functionality and data exfiltration are triggered under multiple conditions, such as a new contact\r\nadded, new SMS received or, a new application installed by making use of Android’s contentObserver and\r\nBroadcast receivers.\r\nCommands received through the Firebase messaging service initiate actions such as recording of audio from the\r\nmicrophone and exfiltration of data such as SMS messages. The Firebase communication is only used to issue the\r\ncommands, and a dedicated C\u0026C server is used to collect the stolen data by using a POST request.\r\nhttps://www.zimperium.com/blog/new-advanced-android-malware-posing-as-system-update/\r\nPage 2 of 9\n\nFigure 1: Code to parse and execute the commands from Firebase C\u0026C (refer to IOCs)\r\nThe spyware is looking for any activity of interest, such as a phone call, to immediately record the conversation,\r\ncollect the updated call log, and then upload the contents to the C\u0026C server as an encrypted ZIP file. Determined\r\nto leave no traces of its malicious actions, the spyware deletes the files as soon as it receives a “success” response\r\nfrom the C\u0026C server on successfully receiving the uploaded files.\r\nhttps://www.zimperium.com/blog/new-advanced-android-malware-posing-as-system-update/\r\nPage 3 of 9\n\nFigure 2: Broadcast receiver declaration in AndroidManifest.xml\r\nThe collected data is organized into several folders inside the spyware’s private storage, located at: \r\n“/data/data/com.update.system.important/files/files/system/FOLDER_NAME” where the “FOLDER_NAME” is\r\nspecified as shown in the following image. \r\nFigure 3: Names of folders for storing stolen data in the app’s private directory\r\nAlong with the command “re” for recording the audio from the microphone, the parameters received are\r\n“from_time” and “to_time,” which is used to schedule an OneTimeWorkRequest job to perform the intended\r\nmalicious activity. Such usage of job scheduling can be affected by battery optimizations applied on applications\r\nby the Android OS, due to which, the spyware requests permission to ignore battery optimizations and function\r\nunhindered. \r\nhttps://www.zimperium.com/blog/new-advanced-android-malware-posing-as-system-update/\r\nPage 4 of 9\n\nFigure 4: Scheduling a job using parameters from the Firebase C\u0026C\r\nFigure 5: Code to prevent battery optimizations on the spyware application\r\nBeing very concerned about the freshness of the data, the spyware doesn’t use data collected before a fixed\r\nperiod. \r\nFor example, location data is collected either from the GPS or the network (whichever is the more recent) and if\r\nthis most recent value is more than 5 minutes in the past, it decides to collect and store the location data all over\r\nagain. The same applies to photos taken using the device’s camera, and the value is set to 40 minutes.\r\nFigure 6: Code to capture a picture using the camera if last taken is at least 40 mins ago\r\nThe spyware abuses the device’s Accessibility Services (gained from social engineering by asking users to enable\r\naccessibility services) to collect conversations and message details from WhatsApp by scraping the content on the\r\nscreen after detecting the package name of the top window matches WhatsApp (“com.whatsapp”). The collected\r\ndata is stored within an SQLite database with a model, as seen in the images below.\r\nFigures 7: The database models for storing data from Whatsapp\r\nIn addition to collecting the messages using the Accessibility Services, if root access is available, the spyware\r\nsteals the WhatsApp database files by copying them from WhatsApp’s private storage. \r\nhttps://www.zimperium.com/blog/new-advanced-android-malware-posing-as-system-update/\r\nPage 5 of 9\n\nFigure 8: The six files that get copied from the WhatsApp database if root is available\r\nThe spyware actively steals the clipboard data by registering clipboard listeners in just the same way as it spies on\r\nSMS, GPS location, contacts, call logs, and notifications. The listeners, observers, and broadcasted intents are\r\nused to trigger actions such as recording a phone call and collecting the thumbnails of newly captured\r\nimages/videos by the victim. \r\nFigure 9: Code to steal data from the clipboard\r\nThe Android device’s storage is searched for files smaller than 30MB and having file extensions from the list of\r\n“interesting” types (.pdf, .doc, .docx, .xls, .xlsx, .ppt, .pptx) to be copied to the private directory of the application\r\nand encrypted as a folder before exfiltration to the C\u0026C server.\r\nFigure 10: Code to search for files with specific extension and size less than 30MB\r\nAn aggressive capability of the spyware is to access and steal the contents cached and stored in the external\r\nstorage. In an attempt to not exfiltrate all the images/videos, which can usually be quite large, the spyware steals\r\nthe thumbnails which are much smaller in size. This would also significantly reduce the bandwidth consumption\r\nand avoid showing any sign of data exfiltration over the internet (assisting in evading detection). When the victim\r\nis using Wi-Fi, all the stolen data from all the folders are sent to the C\u0026C, whereas when the victim is using a\r\nmobile data connection, only a specific set of data is sent to C\u0026C, as seen in Figure 12.\r\nhttps://www.zimperium.com/blog/new-advanced-android-malware-posing-as-system-update/\r\nPage 6 of 9\n\nFigure 11, 12: The code to collect thumbnails, and make a list of folders to upload from a mobile\r\ndata connection\r\nApart from the various types of personal data stolen from the victim, the spyware wants more private data such as\r\nthe victim’s bookmarks and search history from popular browsers like Google Chrome, Mozilla Firefox, and the\r\nSamsung Internet Browser.\r\nFigure 13: The content providers to query bookmarks and searches made by the victim\r\nTo identify the victim’s device name, the spyware tries to compare the information collected from the device’s\r\n“Build.DEVICE” and “Build.MODEL” with a list of hardcoded values amounting to a total of 112 device names\r\nsuch as seen below.\r\nFigure 14: Snippet of code to identify the device by matching with a list of 112 devices\r\nhttps://www.zimperium.com/blog/new-advanced-android-malware-posing-as-system-update/\r\nPage 7 of 9\n\nThe spyware creates a notification if the device’s screen is off when it receives a command using the Firebase\r\nmessaging service, as shown in the below images. The “Searching for update..” is not a legitimate notification\r\nfrom the operating system, but the spyware. \r\nFigure 15, 16: The Fake notification and communication with the C\u0026C server\r\nThe spyware is capable of performing a wide range of malicious activities to spy on the victim while posing as a\r\n“System Update” application. It exhibits a rarely seen before feature, stealing thumbnails of videos and images, in\r\naddition to the usage of a combination of Firebase and a dedicated Command \u0026 Control server for receiving\r\ncommands and exfiltrate data. \r\nIOCs\r\nSpyware applications:\r\n96de80ed5ff6ac9faa1b3a2b0d67cee8259fda9f6ad79841c341b1c3087e4c92\r\n6301e2673e7495ebdfd34fe51792e97c0ac01221a53219424973d851e7a2ac93\r\nC\u0026C servers:\r\nhxxps://mypro-b3435.firebaseio.com\r\nhxxps://licences.website/backendNew/public/api/\r\nTo learn more \r\nTo learn more about how Zimperium detects and prevents malware from disrupting enterprises globally, contact\r\nus. \r\nhttps://www.zimperium.com/blog/new-advanced-android-malware-posing-as-system-update/\r\nPage 8 of 9\n\nZimperium zIPS, powered by Zimperium’s machine learning-based engine, z9, detects this malware. Additionally,\r\nzIPS with Samsung Knox enables immediate and automated mitigation capabilities.\r\nSource: https://www.zimperium.com/blog/new-advanced-android-malware-posing-as-system-update/\r\nhttps://www.zimperium.com/blog/new-advanced-android-malware-posing-as-system-update/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.zimperium.com/blog/new-advanced-android-malware-posing-as-system-update/"
	],
	"report_names": [
		"new-advanced-android-malware-posing-as-system-update"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434516,
	"ts_updated_at": 1775791832,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9a2f7a7d4613d77dcd8c9cce43ec6b17c5273818.pdf",
		"text": "https://archive.orkl.eu/9a2f7a7d4613d77dcd8c9cce43ec6b17c5273818.txt",
		"img": "https://archive.orkl.eu/9a2f7a7d4613d77dcd8c9cce43ec6b17c5273818.jpg"
	}
}