A new report from Zscaler today highlights an app which was present on the Google Play Store and when installed, acted as a form of Spyware that not only tracked user location data, but also slowed down the performance of devices. Zscaler has confirmed that since the app’s true nature was brought to the attention of Google, it has been removed from the Google Play Store and therefore, no longer poses an immediate threat. However, the Zscaler ThreatLabz team found that before its removal occurred, the app had been installed somewhere between one and five million times since its initial release back in 2014.
“System Update,” the app in question, posed as an app which offered users access to Android software updates. Although Zscaler explains that the lack of any detailed description on the Google Play Store (along with blank screenshots) were causes for concern, and some of the indicators that brought the app to Zscaler's attention in the first place. One of the additional red flags that Zscaler points out, was the low review score with many who had downloaded the app simply stating the app continually force closed itself whenever it was launched. Which while on the face of it would simply explain itself as a poor quality app, was in fact how the app was able to embed itself deeper in a device's system. Once the app was launched and did force close, the app was then able to initiate its true purpose; setting itself up a service and broadcast receiver and transmitting user location information to a third-party in real time. One of the other system permissions that the app would command (within announcing it to the user) is the scanning of incoming SMS messages. Which was used to allow the third-party to remotely initiate commands when needed.
While this app has now been confirmed as removed from the Google Play Store, the Zscaler report proves alarming for two clear reasons. The first is that this app was allowed to remain on the Google Play Store, accumulating downloads, for a significant period of time, and in spite of not receiving an update since 2014 - the year of its release. The second reason is that as Zscaler points out, while there are a number of apps which have been found to make use of similar technology, they are apps which usually declare that there is some form of tracking permissions needed by the apps. Thereby, these apps are usually disguised as an app in which location tracking would be considered a 'normal' behavior - like for instance an app used to track a child’s location by its parents. However, that was not the case with this app, which made no claims to track any user location information, and yet it did.