Dangerous SMSVova Android Malware Infects Millions Users Worldwide

Security researchers discovered a dangerous new threat called SMSVova Android malware that poses as a system update app.

SMSVova Android Malware Infects Millions Users Worldwide

Google’s mobile operating system has once again become a target for computer hackers. The latest massive virus to poison users worldwide is the new SMSVova Android malware which security researchers rate as being very dangerous. It is distributed as a counterfeit system update application. Upon installation it modifies the environment to achieve a persistent state of execution. It then starts to transmit the real-time location of the user to the attackers. In addition if the user attempts to open it up an error message is displayed. This is to fool the user that the program does not work and is not running.

Subsequently the app has been removed from the Google Play Store however a lot of users still have it installed on their computers.

SMSVova Android Malware Details

Information about the application on the Google Play store shows the Android logo, its name “System Update” and that the company that is developing it “P.D.A.C. Tech”. There are several warning signs that potential victims can spot to prevent themselves from becoming infected:

  • There is no way a non-Google application can update the whole system.

  • The description of the application does not in what way the requested privileges are used.

  • Before installing an untrusted application every user should review the comments section to check whether it is legitimate, useful and fully-functioning.

  • The lack of screenshots can signal a misleading app.

The malware is dangerous as it actively spies on the user by transmitting their location in real time. The researchers have still not identified a reason why this is being. There are two possible versions:

  1. An updated version of the SMSVova Android Malware might include new features that can use the location data for various criminal actions.

  2. The Use of the malware together with additional payloads.

The security analysis reveals that the virus is being controlled by hacker-issued SMS messages. This is possible through the privilege granted by the user when the application has been installed. The incoming messages are scanned to look for a particular pattern: they need to be no more than 23 characters long and they need to contain the strings “vova-” and “get faq”. When the command “get faq” is issued to the remote hosts the spyware engine responds with a set of available commands. An excerpt of the output shows the following options:

  • Vova-set user password:’password’ – Used for setting up a password to access the host.

  • vova-change user password from:’your password’ to:’new password’ – Changes the currently used password.

  • vova-reset password:’your password’ – Password reset function.

  • vova-set low battery sms for:’your phone number’pass:’your password’ – Low battery notification toggle.

This shows that the possible attack scenario is the following:

  1. The users infect themselves with the malware downloaded from the Google Play Store store or another download source.

  2. Once the app is installed or interacted with it starts its background process.

  3. The attackers can connect to the instances using the default password (“Vova”) or modify the malware’s settings.

  4. Once the malware has been set up it starts to transmit the device location of the victim devices to the attackers.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

SMSVova Android Malware And Other Viruses

The malware was last updated in December 2014. This however does not mean that until now it has remained dormant. Another remote access Trojan known as DroidJack (read more about it here) has used the same code in its own virus engine for tracking the geolocation of the victims. We suspect two possible explanations:

  1. DroidJack and SMSVova Are Made By The Same Hacker Collective – This is probably the most logical explanation. The analyzed code and behavior of the tracking module are exactly the same which indicates that the same people are behind both viruses.

  2. SMSVova Android Malware Acquired Code – It is possible for the SMSVova Android malware to be sold on underground hacker markets. As a result the DroidJack malware may be a heavily modified version of the former. If the source code is available on the hacker communities then its geolocation module can be inserted in other malware.

According to the researchers one of the reasons why the virus has infected so many users is the fact that the malicious code has deceived some of the virus scanners by presenting the spyware features as legitimate. Remote control via SMS messages is a widely used feature in many apps used for tracking children or elderly people.

The malware can be acquired via a number of different ways, some of them include the following:

  • The Google Play Store – This was the most popular way of getting infected with the malware before it was pulled out by Google.

  • Third-Party Repositories – Unofficial software sources are one of the most popular for spreading all kinds of malware. This is the reason why all good security practices discourage and forbid their use.

  • Email Spam Campaigns – Hackers can distribute links or directly attach APK installation files of the SMSVova Android Malware in phishing campaigns.

  • Delivery Via a PC Virus – Various computer viruses can infect connected Android devices with malware. To prevent such instances from occurring we recommend that all of our readers employ a quality anti-spyware solution.

The number of affected victims is estimated to be between one and five million Android users from the official Google Play app.

Android O Will Prevent Malware Attacks

In the upcoming version of the Android operating system (known as Android O) Google will deprecate some of the window types which are commonly used by various malware and ransomware. This is going to repel a sizable part of the available viruses to date for the platform. This is due to the fact that they rely on these application frames to create their running instances. From this update forward the system windows are going to be classified as “Above Dangerous”. This means that requesting apps need to provide instructions to the users on how to activate the requested functionality by going to the Android system settings.

The system messages are used to display ransomware notes, counterfeit notifications and other types of alerts. When the update takes place the schemes used so far by the attackers will need to be changed to reflect the new system procedures.

Computer malware can cause performance issues, data loss, system changes, unauthorized surveillance and other types of damage. To protect yourself from all kinds of viruses we recommend that you use a quality anti-spyware solution which is able to both delete existing threats and protect from incoming infections.

SpyHunter anti-malware tool will diagnose all current threats on the computer. By purchasing the full version, you will be able to remove all malware threats instantly. Additional information about SpyHunter / Help to uninstall SpyHunter

Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.


Related Posts