Q
Problem solve Get help with specific problems with your technologies, process and projects.

How does Overseer spyware work on infected Android apps?

Spyware was found on infected Android apps, which were meant to convey embassy information and news, in the Google Play Store. Expert Michael Cobb explains how the spyware works.

Four Android apps that were meant for conveying embassy information and news for specific European countries were...

removed from the Google Play Store for containing Overseer spyware. The spyware collected data from devices, such as contacts, email and GPS data. How did the malicious components of the infected Android apps work, and how did it make its way into the Google Play Store?

At the beginning of 2016, the malicious app ZergHelper managed to slip past Apple's App Review process by using geolocation to hide its malicious activities from anyone located outside of China.

Now, researchers at the security firm Lookout Inc. have identified infected Android apps that target people travelling overseas. Lookout found the Overseer malware in four apps -- Embassy, European News, Russian News and a Russian-language app. The infected Android apps were downloaded 10,000 times via Google Play, but were removed immediately when Lookout notified Google of their findings.

The language and news apps had relatively few downloads, and the reviews for both appeared to be fake, but the Embassy app proved more popular, as it fronted as a search tool for travelers wanting to find the addresses of specific embassies in any geographic location.

Once an infected app was installed, the Overseer malware gathered a host of information from the compromised device, including details of the user's accounts and their contacts, including names, phone numbers, email addresses and number of times contacted, geolocation information, data about the device, including identification numbers and whether it's been rooted. This information was sent to the attacker's command-and-control (C&C) servers, and allowed the attacker to decide what type of additional malicious components or exploits to download to the device to extend the attack.

The malicious components of these infected Android apps probably managed to avoid detection during Google's dynamic review process because they didn't run all the time, and they obfuscated communications with the C&C server. The malware only contacted the C&C servers every 15 minutes for instructions, so unless analysis took place exactly when instructions were being issued or carried out, nothing untoward would appear to have happened.

The C&C servers were located on Facebook's Parse Server hosted on Amazon Web Services, and traffic between them and the app was encrypted using HTTPS. Encrypted traffic to a popular and trusted cloud service would not look out of the ordinary, and many security monitoring tools would fail to flag it as suspicious.

Users should be reminded that enterprise security policies still apply when travelling abroad, and that extra care should be taken when using network-enabled devices, as employees are more likely to be the targets of espionage-driven attacks.

Geolocation-enabled malware appears to be a growing trend, so it may well be riskier downloading apps while abroad, as they may have been able to slip through regular store review checks. Hopefully, the major app stores will introduce additional geolocation-based checks into their review processes to prevent this type of obfuscation of malicious code from succeeding in the future.

Next Steps

Find out how Twitter accounts are being used as C&C servers to spread malware

Learn how companies can use mobile location-based services to improve customer interactions

Discover how geolocation can be used in business process management

This was last published in February 2017

Dig Deeper on Malware, virus, Trojan and spyware protection and removal

PRO+

Content

Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How does your enterprise ensure employee devices are secure from malicious apps when they are overseas?
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close