Google removed four Android applications from Google Play, all of them contained the Overseer malware Trojan.
The Overseer Spyware Trojan Contaminates Google Play Apps
Lookout security along with an enterprise customer have identified a new malware lurking on the Google Play store. Its the Overseer Trojan which was identified in several applications that were available on the platform. One of the infected apps was a search tool developed to help travelers find embassies abroad. Malicious code was also found in Russian and European Android apps.
The Overseer Trojan has a few interesting features. It targets foreign travelers who are searching for embassies through the infected applications. The malicious C&C servers use Facebook’s Parse Server which is hosted on the cloud service operated by Amazon. The spyware uses the HTTPS secure protocol for communication which makes it very hard to detect by security experts or network analysis tools.
The identified variants of Overseer have the following capabilities:
- The user’s contact information including name, phone number and email
- All user accounts on the victim device
- The ID of the connected Basestation, it’s longitude and latitude, the network ID and the location area code
- All installed packages, permission sets and sideload status
- Information about the free internal and external memory
- Device information including IMEI, IMSI, MCC, MNC, phone type, network operator, device manufacturer, device ID, device model, Android version, Android ID, SDK level and build
- Root Status
The Overseer Trojan can communicate any of the captured information to the remote operators via the secure encrypted channel.
The infected application was deleted from the Google Play Store. All Lookout Security customers are protected from the threats. Fortunately, there is a low download count, so not a lot of users are affected by the malware.