An internet security company has published its findings on an Android app that contained spyware controlled via text messages. Researchers at Zscaler have determined an app suspiciously titled “System Update” gave attackers the ability to execute commands on a remote device and receive its location data. The app — which was just deleted on Google Play Store — had been available for the last three years, and was listed as having been downloaded anywhere from 1 million to 5 million times.
The reviews all indicate users had been installing System Update believing, unsurprisingly, that it would update the version of Android on their device. Instead, when opened for the first time, the app would display the standard system error message — “Unfortunately, System Update has stopped” — and remove itself from the app drawer.
This would activate the spyware, named SMSVova, and set things into motion. SMSVova fetches the user’s location data and begins reading text messages, looking for an SMS message that reads “get faq.” If another device texts “get faq” to the infected party, the latter will automatically respond with a list of commands. By texting these commands to the affected device, the attacker could remotely lock the phone with a password or even issue fake low-battery warnings.
At this point, the attacker is given total access to the coordinates of the infected phone. Although the app is no longer available to download from Google’s marketplace, Zscaler reports it found the code living in another remote access program, called DroidJack.
There is of course no shortage of ways in which an unscrupulous hacker could gain access into your phone, especially with the help of user-installed software. But this is certainly one of the more interesting methods. It’s also quite frightening, considering it gives the attacker so much power through the seemingly harmless and unsophisticated medium of text messages. Then again, in light of the deadly string of emojis that can incapacitate an iPhone, perhaps we shouldn’t be so surprised.