SMS-based Spyware, which can steal and relay a victim’s location to an attacker in real time, was downloaded between 1 and 5 million times before being pulled from Google’s official U.S. Play Store. On the Play Store, the app was titled “System Update,” suggesting that users who download it would receive the latest Android release.
The malware, called SMSVova, is capable of pinpointing a user’s exact geolocation and then sending that data to an attacker. However, upon installing and opening SMSVova, the app immediately quits, delivering the following message: “Unfortunately, Update Service has stopped.” The app then hides itself from the main screen.
At this point, the app enables a MyLocationService feature that tracks a user’s last known location. It also scans for SMS message commands, which the attacker sends in order to adjust malware settings and ultimately request a user’s device location. The attacker can even specifically ask to receive a location alert when the victim’s battery is running low.
Despite the error message, the spyware sets up an Android service and broadcast receiver:
MyLocationService: Fetches last known location
IncomingSMS (Receiver): Scans for incoming SMS messages
MyLocationService is to fetch the user’s last known location and set it up in Shared Preferences. Shared Preferences is one of the many ways Android stores an application’s data.
IncomingSMS is designed to look for incoming SMS messages with a particular syntax, in which the message should be more than 23 characters and should contain “vova-” in the SMS body. It also scans for a message containing “get faq.”